 | | | connlimit in RHEL kernel | connlimit in RHEL kernel 2005-01-14 - By Josko Plazonic
Back
I would/did do it in a different way. I built a package that contains
nothing but new iptables modules and places them into appropriate
/updates/ dir, e.g.:
/lib/modules/2.4.21-27.0.1.EL/updates/net/ipv4/netfilter
That way kernel is untouched and only netfliter modules are "updated",
i.e. modutils will use the new one. Of course, you still need an
updated or an alternate iptables executable/rpm and/or modules.
I think I based it on GFS src.rpm which is a nice rpm to take a look at
if you need to build 2.4 kernel modules that are very involved (e.g. for
modules for whose building you need to modify kernel source - something
that can't be done as non root in /usr/src/linux-2.4 tree). The source
rpm in:
http://www.math.princeton.edu/~plazonic/netfilter/
Josko P.
Milan Ker?l??ger wrote:
> On Mon, Jan 10, 2005 at 12:52:04AM +0100, Milan Ker?l??ger wrote:
>
>>Hi,
>>
>>I just experienced a DoS on our RHEL3 server. It seems to me that this
>>could be easy to use connlimit feature in iptables, but there is none in
>>RHEL3 and RHEL4 Beta 2 has only module for (command) iptables:
>>
>>/lib/iptables/libipt_connlimit.so
>>
>>So how I have to deal in Enterprise environment with simple DoS attack?
>
>
> For those who interested I made a patched kernel with connlimit (only
> this extension) from patch-o-matic
> (http://www.netfilter.org/patch-o-matic/) with updated iptables package:
>
> ftp://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-3/testing.connlimit/
> ftp://ftp.vslib.cz/pub/local/milan.kerslager/RHEL-3/testing.connlimit/
> ftp://ftp.linux.cz/pub/linux/people/milan_kerslager/RHEL-3/testing.connlimit/
>
> This is a yum repository so you may add this section to your
> /etc/yum.conf and do 'yum update':
>
> [kernel-connlimit]
> name=Testing kernel with connlimit patch
> baseurl=ftp://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-3/testing.connlimit/
> ftp://ftp.vslib.cz/pub/local/milan.kerslager/RHEL-3/testing.connlimit/
> ftp://ftp.linux.cz/pub/linux/people/milan_kerslager/RHEL-3/testing
.connlimit/
>
> It just Works for me [TM]. It keeps my SMTP server under moderated load
> instead of DoS from machines with spyware (on three servers each with 3
> to 30 thousands of mails per day).
>
> As I'm unable to let my servers go to its knees I'l maintain those
> kernels for some time until there will be an official solution from RH
> (like other packages in my repo). The patch in non-intrusive (only one
> module for iptables) so it's safe and easy to patch the kernel*src.rpm.
>
> See http://www.netfilter.org/patch-o-matic/pom-base.html for more info
> about how to use connlimit rules in iptables.
>
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|