Re: heartbleed OpenSSL bug CVE-2014-0160

[Reindl Harald <h.reindl () thelounge net>]

you are opening the doors for a DOS attack with the log-rule!

iptables logging needs to be rate-limit always because how it works
otherwise you have a problem the first time it really happens seriously

 -m limit --limit 1/m

Am 09.04.2014 12:39, schrieb Fabien Bourdaire:
> We've created some iptables rules to block all heartbeat queries using
> the very powerful u32 module.
>
> The rules allow you to mitigate systems that can't yet be patched by
> blocking ALL the heartbeat handshakes. We also like the capability to
> log external scanners ;)
>
> The rules have been specifically created for HTTPS traffic and may be
> adapted for other protocols; SMTPS/IMAPS/...
>
>
> # Log rules
> iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
> "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
>
> # Block rules
> iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
> "52=0x18030000:0x1803FFFF" -j DROP
>
> # Wireshark rules
> $ tshark  -i interface port 443 -R 'frame[68:1] == 18'
> $ tshark  -i interface port 443 -R 'ssl.record.content_type == 24'
>
>
> We believe that this should only be used as a temporary fix to decrease
> the exposure window. The log rule should allow you to test the firewall
> rules before being used in production. It goes without saying that if
> you have any suggested improvements to these rules we would be grateful
> if you could share them with the security community.
>
> Clearly, use of these rules is at your own risk :)

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/