DROP or REJECT?

/dev/rob0 rob0 at gmx.co.uk
Sun Nov 20 19:57:12 CET 2005


On Sunday 2005-November-20 12:33, Michael D. Berger wrote:
> For blocking various attacks on ports 22 and 80,
> I have been using:
>    -j REJECT --reject-with icmp-host-unreachable
> To minimize future attempts, is this best, or is
> there a better idea, such as DROP?

I doubt it matters much. I have seen, though, with my own approach of 
"-m limit --limit 3/min --limit-burst 3 -j ACCEPT" (followed by a DROP 
or REJECT rule) that -j REJECT does not always turn them away 
immediately, whereas with -j DROP they usually give up. But my REJECT 
uses the default, "--reject-with icmp-port-unreachable".

Insofar as concerns future attacks, as long as you have those ports 
open, you will have bots and worms knocking on them. They are nothing 
more than an annoyance if you have properly secured services.

I think the purpose of the SSH probes is to find more hosts from which 
to launch these probes. :) And some of them are put to work in phishing 
scams. The whole idea is to make it impossible to trace the phisher. 
They probably decide who to attack by doing a port scan on 22 of the 
entire Internet. When you're using stolen resources, there is no need 
to conserve.

HTTP probes are similar except most of those seem to target MS IIS. 
These are more likely to be operated by Internet mass-mail marketers, 
a/k/a spammers.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



More information about the netfilter mailing list