On 2012/05/03 10:57, Reindl Harald wrote:
Am 03.05.2012 19:46, schrieb Paul W. Frields:
> On Thu, May 03, 2012 at 04:21:20PM +0200, Reindl Harald wrote:
>> is there any way to specify here more than one source-address
>> (the usual comma seperated way does not work in this context)
>>
>> a complete ACCEPT before is no solution because it would bypass
>> any selective ACCEPT-rule
>>
>> iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m
recent --set
>> iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m
recent --update --seconds 1 --hitcount 75 -j REJECT --reject-with tcp-reset
>
> Even when you use comma-separated addresses (allowed when not using
> the '!' operator), iptables actually creates separate rules in
> response to the command. I believe that's what you need to do in this
> situation
in theory yes
but practically the reject of this rule would be triggered
a secuity auditor from a customer is whining the he no longer
can make security-scans and it will get hard to arue that
we can not whitelist him in this case :-(
Ah, wait a minute. If he cannot make security scans neither can
anybody else. So defacto his job is finished.
For any exception you place into the rules to allow him to scan you must
think VERY carefully what it's effects will be. You might accidentally
open up the internal network to him leading to a false positive detection
from his security scan.
You might sit down with him and work out a plan for what should be done
so he can do his job and you can have the "recent" rule still protecting
your network. Collaboration and education may be your best friend here.
He is, after all, really an ally even when taking on the mantle of an
adversary for security auditing. Besides, you might get the delight of
seeing the lights go on in another person's head when he grasps just what
it is you did which is keeping him, and all others who look like malicious
access attempts, out of your system. Lead him gently to the knowledge and
the results can be more than worth your time and effort.
{^_^}