On Tue, 2007-09-18 at 11:53 -0600, Ashley M. Kirchner wrote: > Hey all, > > I have the following lines in my iptables config file to curb ssh > knocking on our servers: > > # Let's see if we can curb SSH attacks. > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck > --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: " > > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck > --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset > > > This works great...EXCEPT it also blocks our own access to the > servers if we need to get on them in a short amount of time (less than > 120 seconds). So how can I still implement the above blocking, but > allow anything from our different subnets (we have 4) come through > without going through that block routine? The easiest way would be to add a line for each subnet you want to allow ABOVE the code above: -A INPUT -p tcp --sync --dport 22 -s www.xxx.yyy.zzz/aa -j ACCEPT replacing "www.xxx.yyy.zzz/aa" with each subnet/mask you want to allow. This would instantly allow ssh access from your network(s) before those attempts hit the blocking code. That's what we do. ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Working with Linux is like wrestling with a worthy opponent. - - Working with Windows is like picking on an annoyed child with a - - loaded handgun. - ---------------------------------------------------------------------- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list