Full Disclosure mailing list archives

Re: heartbleed OpenSSL bug CVE-2014-0160

From: Reindl Harald <h.reindl () thelounge net>
Date: Thu, 10 Apr 2014 11:01:18 +0200


Am 09.04.2014 23:33, schrieb Juergen Christoffel:

On Wed, Apr 09, 2014 at 09:24:25PM +0200, Reindl Harald wrote:


iptables logging needs to be rate-limit always because how it works
otherwise you have a problem the first time it really happens seriously


Using limits is sensible, yes. But

-m limit --limit 1/m


this might be a bit too restrictive to gather data on attempts at
heartbleeding. And --hashlimit might be more appropriate too as it keeps a
counter per IP address.


agreed and thanks for the --hashlimit option, after a
large DDOS attack from more than 10000 IP addresses i
got that restrictive :-)

sadly i can't confirm that it works because testing with http://filippo.io/Heartbleed/
don't produce any log-entry and since iptables lives on the deeper layer then httpd
it should cry even on patched machines................

iptables -A INPUT ! -i lo -p tcp -m multiport --destination-port 443,993,995 -m u32 --u32
"52=0x18030000:0x1803FFFF" -m limit --limit 5/h -j LOG --log-level debug --log-prefix "Firewall: Heartbleed"
iptables -A INPUT ! -i lo -p tcp -m multiport --destination-port 443,993,995 -m u32 --u32
"52=0x18030000:0x1803FFFF" -j DROP
__________________________________________________________________________________________________________________

iptables --list --numeric --verbose

    0     0 LOG        tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            multiport dports
443,993,995 u32 "0x34=0x18030000:0x1803ffff" limit: avg 5/hour burst 5 LOG flags 0 level 7 prefix "Firewall:
Heartbleed"
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            multiport dports
443,993,995 u32 "0x34=0x18030000:0x1803ffff"
__________________________________________________________________________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- - - Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Vincent (Student) (Apr 10)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Carlos P (Apr 11)
    - Message not available
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Chris Schmidt (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Nik Mitev (Apr 08)
  - Re: heartbleed OpenSSL bug CVE-2014-0160 Ronny Lauenstein (Apr 09)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Ken Connelly (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Justin Bull (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Fabien Bourdaire (Apr 09)
  - Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 09)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Juergen Christoffel (Apr 09)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 10)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 11)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Seth Arnold (Apr 11)
  - Re: heartbleed OpenSSL bug CVE-2014-0160 Daniel Franke (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Jeremy Voorhis (Apr 09)
  - Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Perry (Apr 09)
  - Re: heartbleed OpenSSL bug CVE-2014-0160 Aidan Thornton (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Peter Malone (Apr 09)
  - Re: heartbleed OpenSSL bug CVE-2014-0160 Coderaptor (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Peter Malone (Apr 09)
  - Re: heartbleed OpenSSL bug CVE-2014-0160 Jann Horn (Apr 10)

(Thread continues...)