New NTP DDoS target hack
parent
2abb2bfdd3
commit
1c080183b1
|
@ -2,6 +2,8 @@
|
|||
- Reorder rules, place allow before block to allow overrides
|
||||
- Fixes for conntrack rules for better security (added -o/-i)
|
||||
- Correct some incorrect info in options.default
|
||||
- Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being
|
||||
used as a NTP DDoS source. Not well tested, use at own risk.
|
||||
|
||||
1.0 - Brielle Bruns <bruns@2mbit.com>
|
||||
- Minor tweaks to various config files
|
||||
|
|
|
@ -92,10 +92,6 @@ function iptables_rules_flush {
|
|||
$VER_IPTABLES -F -t $i &>/dev/null
|
||||
done
|
||||
$VER_IPTABLES -X
|
||||
$VER_IPTABLES -t nat -F
|
||||
$VER_IPTABLES -t nat -X
|
||||
$VER_IPTABLES -t mangle -F
|
||||
$VER_IPTABLES -t mangle -X
|
||||
#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
|
||||
# $VER_IPTABLES -F -t nat &>/dev/null
|
||||
#fi
|
||||
|
|
|
@ -150,7 +150,11 @@ DONTTRACK="127.0.0.1"
|
|||
# I have things going through specific wires for a reason. This fixes
|
||||
# that and makes it behave as expected.
|
||||
#
|
||||
HACK_IPV4="NS-IN-DDOS"
|
||||
# NTPDDOSRATELIMIT - Basic form of rate limiting/blocking on incoming NTP traffic
|
||||
# that may cause local NTP server to be used in a DDoS attack.
|
||||
# Not well tested yet, use at own risk.
|
||||
#
|
||||
#HACK_IPV4="NS-IN-DDOS"
|
||||
|
||||
# IP Ranges to block all traffic incoming/outgoing
|
||||
# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS
|
||||
|
|
Loading…
Reference in New Issue