[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another seeming attack on my server's DirPort



     On Wed, 19 Dec 2007 09:11:02 -0500 Michael Holstein
<michael.holstein@xxxxxxxxxxx> wrote:
>> The symptom, like the last time, was that output rate on my
>> machine's main Ethernet interface was running steadily around the transmit
>> rate limit imposed by my ADSL line.
>tweak as desired ... this would permit 1 connection per minute from a 
>given IP. Replace (torDirPort) with whatever TCP port you're serving the 
>DIR on.
>
>iptables -A INPUT -p tcp --dport (torDirPort) -m state --state NEW -m recent --set --name TORdir -j ACCEPT
>iptables -A INPUT -p tcp --dport (torDirPort) -m recent --update --seconds 60 --hitcount 1 --rttl --name TORdir -j LOG --log-prefix "TORdir flood"
>iptables -A INPUT -p tcp --dport (torDirPort) -m recent --update --seconds 60 --hitcount 1 --rttl --name TORdir -j DROP
>
>(adapted from a SSH bruteforce mitigation rule to do a similar thing..)
>
     Thanks, but I'm using pf under FreeBSD 6.3-PRERELEASE.  At present, I'm
block *all* inbound packets at the router from the two offenders noticed so
far.  I'm not really doing much with pf at the moment, but I intend to whenever
I get around to setting up a particular tor configuration that will need some
redirection to work right.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************