On 1/17/2012 8:43 PM, jdow wrote:
This is a set if iptables rules that essentially "deals" with packets
that
come in too fast. Anything more than one attempt in one minute is
logged and
rejected. You can also forgo logging and DROP the packet if you wish.
(This
specifically drops ssh packets. But it can be triggered by almost any
attempt
to connect to your system, whether it fails or not.) Got no logging drop
the second line and its continuations. To DROP instead of REJECT change
the third line's REJECT to DROP.
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack
--set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
--log-level info
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
If the normal traffic to the site is really light 180 seconds works nice.
If it's quite light 60 seconds is fine. If it's modest perhaps 10 seconds
is OK. I'd not use it on a site with Google level traffic, of course.
{^_^}
jdow:
How does one add a rule to this that allows LAN attempts to not be
subject to this rule? Often when I need to sync things up, I ssh to all
machines in the LAN and can do more than one within 60 seconds. Normal
traffic is expected to be near nil, but the blast of everyone ssh's to
everyone does happen.
Thanks in advance,
Paul
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org