Full Disclosure mailing list archives
Re: heartbleed OpenSSL bug CVE-2014-0160
From: Reindl Harald <h.reindl () thelounge net>
Date: Thu, 10 Apr 2014 11:01:18 +0200
Am 09.04.2014 23:33, schrieb Juergen Christoffel:
On Wed, Apr 09, 2014 at 09:24:25PM +0200, Reindl Harald wrote:iptables logging needs to be rate-limit always because how it works otherwise you have a problem the first time it really happens seriouslyUsing limits is sensible, yes. But-m limit --limit 1/mthis might be a bit too restrictive to gather data on attempts at heartbleeding. And --hashlimit might be more appropriate too as it keeps a counter per IP address.
agreed and thanks for the --hashlimit option, after a large DDOS attack from more than 10000 IP addresses i got that restrictive :-) sadly i can't confirm that it works because testing with http://filippo.io/Heartbleed/ don't produce any log-entry and since iptables lives on the deeper layer then httpd it should cry even on patched machines................ iptables -A INPUT ! -i lo -p tcp -m multiport --destination-port 443,993,995 -m u32 --u32 "52=0x18030000:0x1803FFFF" -m limit --limit 5/h -j LOG --log-level debug --log-prefix "Firewall: Heartbleed" iptables -A INPUT ! -i lo -p tcp -m multiport --destination-port 443,993,995 -m u32 --u32 "52=0x18030000:0x1803FFFF" -j DROP __________________________________________________________________________________________________________________ iptables --list --numeric --verbose 0 0 LOG tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 multiport dports 443,993,995 u32 "0x34=0x18030000:0x1803ffff" limit: avg 5/hour burst 5 LOG flags 0 level 7 prefix "Firewall: Heartbleed" 0 0 DROP tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 multiport dports 443,993,995 u32 "0x34=0x18030000:0x1803ffff" __________________________________________________________________________________________________________________
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Vincent (Student) (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Carlos P (Apr 11)
- Message not available
- Re: heartbleed OpenSSL bug CVE-2014-0160 Chris Schmidt (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Nik Mitev (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ronny Lauenstein (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ken Connelly (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Juergen Christoffel (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Seth Arnold (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Perry (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Aidan Thornton (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Coderaptor (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Jann Horn (Apr 10)