[syslog-ng] Firewalling with syslog-ng, a working prototype
Valentijn Sessink
valentyn at blub.net
Mon Feb 21 13:30:42 CET 2011
Op 21-02-11 12:50, Alexander Clouter schreef:
> Be careful as you are possibly opening yourself up to a DoS; for the v6
> case. Most attackers will be able to move through their local /64 which
> might cause problems when using recent directly, might be worth
> combining it with hashlimit too.
Thanks for the useful addition. Yes, we did realise that you can get
IPv6/48 netblocks for free, meaning a million billion billion IP
addresses, meaning you could use a new source address for every single
attempt and still have some left for all the square centimeters of your
part of the earth.
Fortunately, the xt_recent module is quite limiting in itself: the
"ip_list_tot" is 100, meaning there won't be more than 100 IP addresses
in the list. And please note, that IPv4 and IPv6 are mixed here, so it's
100 addresses total.
All in all, this method won't work when IPv6 attacks become more widely
used and more sophisticated (using a new IP address for every
connection); it would just slowly flush the list.
However, I haven't seen such a connection for now, so at the moment, you
would be safe by looking at the "block" log file once in a while.
(With a script or so ;-)
Best regards,
Valentijn
More information about the syslog-ng
mailing list