Linode Forum
https://forum.linode.com/

dropping 45 byte packets with iptables
https://forum.linode.com/viewtopic.php?f=19&t=3853		 Page 1 of 1
Author:  A32 [ Wed Jan 28, 2009 1:19 am ]
Post subject:  dropping 45 byte packets with iptables
Is it possible to drop packets with a specific size? If there is I can't seem to find it anywhere I look.

I also looked at several pages mentioning iptable -m limit options but I can't figure out this damn thing.

Wish someone could write a clear and concise step-by-step tutorial on keeping the bed bugs away with iptables.

Thanks
Author:  Xan [ Wed Jan 28, 2009 3:00 am ]
Post subject: 
Code:
iptables -A INPUT -p udp --dport 53 --match length --length 45 -j DROP


I'm not sure about implementing it myself, though; can legitimate DNS traffic not also use 45 byte packets? Maybe it can't, since it would always be asking for more than just ".".

If you use it, please report how it works.
Author:  A32 [ Wed Jan 28, 2009 4:43 pm ]
Post subject: 
They query they're using is './NS/IN' ..

Wonder why I didn't see --match in the documentation anywhere.. Maybe I wasn't looking in the right place.. Thanks for the info.

Maybe I'll just fail2ban the './NS/IN' query! Hmmm..
Author:  mwalling [ Wed Jan 28, 2009 5:14 pm ]
Post subject: 
I'm using the following, with a bantime of a week
Code:
failregex  = ^%(__prefix_line)sclient <HOST>: query \(cache\) '\./NS/IN' denied
Author:  ohkus [ Wed Jan 28, 2009 11:51 pm ]
Post subject: 
There are better ways to do this imho and many fixes, just setup bind so it only responds to the domains in your config and not to generic requests.
Author:  mwalling [ Thu Jan 29, 2009 12:13 am ]
Post subject: 
A properly configured Bind will still respond with REFUSED, which is still a packet that is bound for the victim's IP address, and while not as significant as the root hints, its still traffic that the victim doesn't need to be seeing.
Author:  A32 [ Thu Feb 05, 2009 3:34 am ]
Post subject: 
mwalling wrote:
I'm using the following, with a bantime of a week
Code:
failregex  = ^%(__prefix_line)sclient <HOST>: query \(cache\) '\./NS/IN' denied


Something's wrong with my fail2ban.. When it adds the iptables chain, and the INPUT entry, it adds the wrong protocol (TCP) for blocking UDP traffic. Sure, fail2ban adds it to the chain but the INPUT entry is all wrong so everything just keeps coming in.
Author:  mwalling [ Thu Feb 05, 2009 11:56 am ]
Post subject: 
If you're using the iptables action, you need to set the protocol as an argument. The default ssh-iptables jail has an example you could use.
Author:  A32 [ Thu Feb 05, 2009 5:39 pm ]
Post subject: 
I don't have one of those :-/ I just downloaded the most recent fail2ban too.

jail.conf
Quote:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]

# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = false
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2


[ssh-ddos]

enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-noscript]

enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log


[couriersmtp]

enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log


[sasl]

enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# }
#
# in your named.conf to provide proper logging

# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]

enabled = true
port = domain,953
protocol = udp
banaction = iptables-allports
filter = named-refused
#logpath = /var/log/named/security.log
logpath = /var/log/syslog

[named-refused-tcp]

enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log



jail.local
Quote:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 75.174.57.33
bantime = 864000
maxretry = 2

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

# Following actions can be chosen as an alternatives to the above action.
# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
# into jail.local

# Default action to take: ban & send an e-mail with whois report
# to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
# mail-whois[name=%(__name__)s, dest=%(destemail)s]

# Default action to take: ban & send an e-mail with whois report
# and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
# mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]

# Next jails corresponds to the standard configuration in Fail2ban 0.6
# which was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#

[ssh]

enabled = false
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 2

#
# HTTP servers
#

[apache]

enabled = false
port = http
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 6

#
# Mail servers
#

[postfix]

enabled = false
port = smtp
filter = postfix
logpath = /var/log/postfix.log


[sasl]

enabled = false
port = smtp
filter = sasl
logpath = /var/log/mail.log
Author:  mwalling [ Thu Feb 05, 2009 6:17 pm ]
Post subject: 
Code:
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.

Patch-happy distros? OpenSSL? What?

Code:
[bind-ddos]
enabled = true
filter = bind-ddos
action = iptables[name=bind-ddos, port=53, protocol=udp]
         mail-whois-lines[name=bind-ddos, dest=mwalling-f2b, logpath=/var/log/messages]
logpath = /var/log/messages
maxretry = 3
findtime = 60
bantime = 86400
Author:  A32 [ Thu Feb 05, 2009 9:45 pm ]
Post subject: 
I put your [bind-ddos] in jail.local and created a bind-ddos.conf in filter.d/ but I just got some funky errors.

Quote:
File "/usr/bin/fail2ban-client", line 375, in __readConfig
ret = self.__configurator.getOptions()
File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions
return self.__jails.getOptions(jail)
File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions
ret = jail.getOptions()
File "/usr/share/fail2ban/client/jailreader.py", line 77, in getOptions
self.__filter.getOptions(self.__opts)
File "/usr/share/fail2ban/client/filterreader.py", line 60, in getOptions
self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts)
File "/usr/share/fail2ban/client/configreader.py", line 84, in getOptions
v = self.get(sec, option[1])
File "/usr/lib/python2.4/ConfigParser.py", line 525, in get
return self._interpolate(section, option, value, d)
File "/usr/lib/python2.4/ConfigParser.py", line 593, in _interpolate
self._interpolate_some(option, L, rawval, section, vars, 1)
File "/usr/lib/python2.4/ConfigParser.py", line 624, in _interpolate_some
raise InterpolationMissingOptionError(
ConfigParser.InterpolationMissingOptionError: Bad value substitution:
section: [Definition]
option : failregex
key : __prefix_line
rawval : client <HOST>: query \(cache\) '\./NS/IN' denied


I think I'll just give up.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/