On Thu, 29 Jun 2017 19:26:37 -0700 Mike Wright <nobody@xxxxxxxxxxxxxxxxxxxx> wrote: > Hi Doug, > > Before you give up look at this. > > That looks a firewalld chain name (guessing). If it doesn't > recognize it you're probably not running it. > > If you want to use iptables (the built-in kernel firewall) and watch > SSH connections the rules would look like: > > iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags > FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 90 --hitcount 2 > --name DEFAULT --mask 255.255.255.255 --rsource -j LOG --log-prefix > "POSSIBLE SSH ATTACK" --log-level 6 > > iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags > FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 90 --hitcount 2 > --name DEFAULT --mask 255.255.255.255 --rsource -j DROP > > The first rule LOGS the event and the second one drops the connection. These are the rules I meant to write. :-) Good job. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx