<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">Let us know if that works ;)</font></font><br>
<br>
Il 23/02/2012 15:20, escapedturkey ha scritto:
<blockquote
cite="mid:CALCvV0z6UjmR34X1iA1Z1nQZGS9JrWU=z906b538gcSOmhpShQ@mail.gmail.com"
type="cite">Thank you. Much appreciated. =)<br>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 7:33 AM, Marco
Padovan <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="-1"><font
face="Verdana">Ehm,<br>
nope :D<br>
<br>
You need all the lines John posted:<br>
<br>
</font></font><a moz-do-not-send="true"
href="http://icculus.org/pipermail/cod/2012-January/015861.html"
target="_blank">http://icculus.org/pipermail/cod/2012-January/015861.html</a><br>
<br>
To make it works in centos5 / 6 change into that ruleset:
<div class="im"><br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
srcip --hashlimit-name getstatus --hashlimit-above
2/second -j QUERY-BLOCK<br>
<font size="-1"><font face="Verdana"><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
srcip --hashlimit-name getstatus --hashlimit 2/s -j
RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
</font></font><br>
</div>
<font size="-1"><font face="Verdana">all the other rules
should be kept as they are :)<br>
</font></font><br>
Il 23/02/2012 13:10, escapedturkey ha scritto:
<div>
<div class="h5">
<blockquote type="cite">
<div>Thank you. I missed those lines.<br>
</div>
<div><br>
</div>
<div>Here is what I have so far:</div>
<div><br>
</div>
<div>/sbin/iptables -N QUERY-BLOCK<br>
/sbin/iptables -A QUERY-BLOCK -m recent --set --name
blocked-hosts -j DROP<br>
/sbin/iptables -A QUERY-CHECK -m hashlimit
--hashlimit-mode srcip --hashlimit-name getstatus
--hashlimit 2/s -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK</div>
<div><br>
</div>
<div>Is this correct? </div>
<div><br>
</div>
<div>Thank you again. =)</div>
<br>
<div class="gmail_quote">On Thu, Feb 23, 2012 at 5:32
AM, Marco Padovan <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font
size="-1"><font face="Verdana">did you issued
all the other commands?<br>
<br>
like:<br>
<br>
</font></font>
<div>iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name
blocked-hosts -j DROP<br>
<br>
</div>
?<br>
<br>
Il 23/02/2012 03:54, escapedturkey ha scritto:
<div>
<div>
<blockquote type="cite">
<div>iptables v1.4.7: Couldn't load target
`QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so:
cannot open shared object file: No such
file or directory<br>
</div>
<div><br>
</div>
<div>Any ideas?</div>
<br>
<br>
<div class="gmail_quote"> On Wed, Feb 22,
2012 at 4:51 PM, Marco Padovan <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:evcz@evcz.tk"
target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Verdana">on
centos5 and centos6<br>
<br>
modifying this line:<br>
</font></font>
<div>iptables -A QUERY-CHECK -m
hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus
--hashlimit-above 2/second -j
QUERY-BLOCK<br>
</div>
<font size="-1"><font face="Verdana"><br>
in this way (two different
lines):<br>
iptables -A QUERY-CHECK -m
hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus
--hashlimit 2/s -j RETURN<br>
iptables -A QUERY-CHECK -j
QUERY-BLOCK<br>
<br>
should mimic the same behaviour<br>
</font></font><br>
Il 22/02/2012 18:43, Geoff Goas ha
scritto:
<div>
<div>
<blockquote type="cite">Hi,<br>
<br>
On CentOS 5.5, <i
style="font-family:courier
new,monospace">--hashlimit-above</i>
is not a valid option for the
"hashlimit" match. Which
version of iptables introduces
this, and how can I mimic that
same ruleset with the options
available to me in version
1.3.5 of iptables?<br>
<br>
Thanks,<br>
<br>
<div class="gmail_quote">On
Fri, Jan 20, 2012 at 7:51
PM, John <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:lists.cod@nuclearfallout.net"
target="_blank">lists.cod@nuclearfallout.net</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> On 1/20/2012 3:27
PM, Marco Padovan
wrote: </div>
<blockquote type="cite"><font
size="-1"><font
face="Verdana">
<div>I was
referring to
dynamic
filtering using
-m recent<br>
<br>
</div>
[not] to manually
adding IPs O.o</font></font></blockquote>
<br>
Marco's right about
this. The most effective
way to prevent effects
from these attacks on
Linux is to use a
combination of the
"string", "hashlimit",
and "recent" modules.
Done right, the solution
is mostly automatic, so
you shouldn't need to
manually add IPs.<br>
<br>
These commands, for
instance, would block
external IPs that send
queries at a rate of
2/second or higher:<br>
<br>
# add a host to the
banlist and then drop
the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK
-m recent --set --name
blocked-hosts -j DROP<br>
<br>
# is this a query
packet? if so, block
commonly attacked ports
outright, <br>
# then see if it's a
known attacking IP, then
see if it is sending at
a high<br>
# rate and should be
added to the list of
known attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK
-p udp -m string !
--string "getstatus"
--algo bm --from 32 --to
41 -j RETURN<br>
iptables -A QUERY-CHECK
-p udp --sport 0:1025 -j
DROP<br>
iptables -A QUERY-CHECK
-p udp --sport 3074 -j
DROP<br>
iptables -A QUERY-CHECK
-p udp --sport 7777 -j
DROP<br>
iptables -A QUERY-CHECK
-p udp --sport
27015:27100 -j DROP<br>
iptables -A QUERY-CHECK
-p udp --sport 25200 -j
DROP<br>
iptables -A QUERY-CHECK
-p udp --sport 25565 -j
DROP<br>
# is it already blocked?
continue blocking it and
update the counter so it<br>
# gets blocked for at
least another 30
seconds.<br>
iptables -A QUERY-CHECK
-m recent --update
--name blocked-hosts
--seconds 30 --hitcount
1 -j DROP<br>
# check to see if it
exceeds our rate
threshold,<br>
# and add it to the list
if it does.<br>
iptables -A QUERY-CHECK
-m hashlimit
--hashlimit-mode srcip
--hashlimit-name
getstatus
--hashlimit-above
2/second -j QUERY-BLOCK<br>
<br>
# look at all the
packets going to
q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp
--dport 27960:29000 -j
QUERY-CHECK<br>
<br>
The "recent" module
makes it possible to
block up to 100 IPs at
once with this method
(any attackers beyond
this would only be
rate-limited). That
number can be raised
when the module is
loaded, but I haven't
seen 100 attacks
happening at once yet
(typically it's maybe
5-20 at once). You can
see blocked hosts later
by looking at
/proc/net/xt_recent/blocked-hosts.<br>
<br>
(If you don't have
"recent", you could get
away without it -- just
be aware that some of
the packets will get
through, increasing load
on the game server.
Without "hashlimit",
you'd still see an
advantage from the port
checks, but you'd need
to manually block IPs
that are being hit on
other ports. Without
"string", you'd
similarly be down to
just port checks, and
need to take out the
other rules.)<span><font
color="#888888"><br>
<br>
-John<br>
</font></span></div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span
style="font-family:tahoma,sans-serif">Geoff
Goas</span><br
style="font-family:tahoma,sans-serif">
<span
style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>