From owner-freebsd-security  Fri Jun 15 11:53:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 51E8937B401
	for <freebsd-security@freebsd.org>; Fri, 15 Jun 2001 11:53:28 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 25444 invoked by uid 1000); 15 Jun 2001 18:53:25 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 15 Jun 2001 18:53:25 -0000
Date: Fri, 15 Jun 2001 13:53:25 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: "Karsten W. Rohrbach" <karsten@rohrbach.de>
Cc: Gerhard Sittig <Gerhard.Sittig@gmx.net>,
	"'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org>
Subject: Re: apache security question
In-Reply-To: <20010615125253.B75938@mail.webmonster.de>
Message-ID: <20010615134459.R25403-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Fri, 15 Jun 2001, Karsten W. Rohrbach wrote:

> ratelimiting turned out to be too relaxed for several servers i got in
> the field. was this changed from 4.2 to 4.3?

It changed a bit, contact me via private e-mail with info on what it
wasn't able to handle and we'll see if we can enhance it.

> i did not want to say that blackhole(4) is a replacement for ipf(4).
> since the b0rkedness of the rule parser, ipfw(4) is not an option
> anymore for me. try mathing multiple destination ports in one rule :-/
>
> >
> > So... don't worry about it.  (Or filter upstream if you are being attacked
> > and are forced to worry about it.)
>
> that's exactly what i wrote in the original mail, would it not have been
> removed.

Oops, guess I got too cut happy.  Sorry.

> > * Some attack tools have recognizeable signatures, you could block those
> > with ipfw.
>
> oh, yes, and snort or similar things on a gateway in front of it to see
> new ones ;-)

I should really check out that program one of these days.  I must be one
of the few to not yet use it. :)

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message