Update: A little slow on the ball here, but I found out today that Fedora requires the xtables-addon package to be installed to have the tar pit option enabled in IPTables.
-=-=-=-=-=-=-=-=-=-=-=-=–=-=-=-=-=-=-
While skimming the man page for iptables, noticed an option that seems to be a good deterrent to DoS attacks … basically for bad connections, will keep a connection open until it times out (12-24 minutes depending on the client). With most brute force attacks running as a loop through a list of user names and passwords, keeping the connection open that long increases the attack time by enough that the bad guys will either give up or produce no useful result.
TARPIT
Captures and holds incoming TCP connections using no local per-
connection resources. Connections are accepted, but immediately
switched to the persist state (0 byte window), in which the remote
side stops sending data and asks to continue every 60-240 seconds.
Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.
This offers similar functionality to LaBrea
IPs. Any TCP port that you would normally DROP or REJECT can
instead become a tarpit.
To tarpit connections to TCP port 80 destined for the current
machine:
iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
To significantly slow down Code Red/Nimda-style scans of unused
address space, forward unused ip addresses to a Linux box not act-
ing as a router (e.g. "ip route 10.0.0.0 255.0.0.0
ip.of.linux.box" on a Cisco), enable IP forwarding on the Linux
box, and add:
iptables -A FORWARD -p tcp -j TARPIT
iptables -A FORWARD -j DROP
NOTE: If you use the conntrack module while you are using TARPIT,
you should also use the NOTRACK target, or the kernel will
unnecessarily allocate resources for each TARPITted connec-
tion. To TARPIT incoming connections to the standard IRC
port while using conntrack, you could:
iptables -t raw -A PREROUTING -p tcp --dport 6667 -j
NOTRACK
iptables -A INPUT -p tcp --dport 6667 -j TARPIT
