AW: patch: Port- and netscan detection for netfilter
Patrick McHardy
kaber at trash.net
Mon Mar 19 05:59:00 CET 2007
Gladewitz, Robert (FH) wrote:
> The problem is, on the most attacks, the hacker try to get some information on the network. This module implements 3 different situations:
Putting aside the question of the usefulness of this, whats the
difference to using the three rules below?
> - Netscan (Scan more hosts on less ports)
iptables -A PREROUTING -m state --state NEW \
-m hashlimit --hashlimit-name netscan \
--hashlimit-mode dstip \
--hashlimit n/sec \
-j DROP
> - Portscan (Scan less Hosts and many ports)
iptables -A PREROUTING -m state --state NEW \
-m hashlimit --hashlimit-name portscan \
--hashlimit-mode dstport \
--hashlimit n/sec \
-j DROP
> - Combined Scan (Scan many Ports on many)
iptables -A PREROUTING -m state --state NEW \
-m hashlimit --hashlimit-name portnetscan \
--hashlimit-mode dstip,dstport \
--hashlimit n/sec \
-j DROP
More information about the netfilter-devel
mailing list