On 06/30/17 09:10, jdow wrote: > A rule like this makes cracking your 123456 password a whole lot harder without > changing anything else. > iptables -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name > pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix 'SSH2 REJECT: ' > --log-level info > > The magic is in "-m recent --rcheck --seconds 90 --hitcount 2". That means any > given site gets one chance to login before facing a 90 second blockage. If they > have to guess "AZBYCXDW" as a password you can imagine how long you have to catch > him in your log and explicitly block his whole subnet. I once did rate limiting on brute force login attempts. But I found that all the attempts were scripted. So instead of an attack from a single IP address happening for a minute or so the attack simply went on for hours. The same number of attempts were made. I didn't manually check my logs. I left that to an automated process. But I got tired of setting all that up for systems that were temporary in my environment but yet required full access when I was not physically present. -- Fedora Users List - The place to go to speculate endlessly
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
