Re: crazy hackers and logwatch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Marco" == Marco Meyerhofer <marco_meyerhofer@xxxxxxxxxxx> writes:

Marco> I recently set up some rules.  I know they could be abused for
Marco> dos, but for me this is a minor problem.  Warning: I am not
Marco> sure if they work correct, or if they make some problems.

Marco> # SSH brute force protection $EXT_IF
Marco> $IPTABLES -N ssh_brute
Marco> $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 22 -m state --state NEW -j ssh_brute
Marco> $IPTABLES -A ssh_brute -m recent --set
Marco> $IPTABLES -A ssh_brute -m recent --update --seconds 120 ! --hitcount 4 -j RETURN
Marco> $IPTABLES -A ssh_brute -m limit -j LOG --log-prefix "ssh bruteforce "
Marco> $IPTABLES -A ssh_brute -j DROP

A better rule (IMHO), I use: 

$IPTABLES -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT

This has the advantage of only blocking the offending IP if they go
over 1/min, but letting all other ip's still have access until they go
over the limit.

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFC+M5P3imCezTjY0ERApEgAJ9lDrUDdOVVYjz7kokJlntU8xj33gCbBvZT
dUgowokLV9sWB6mLIf4+O2M=
=ajK2
-----END PGP SIGNATURE-----

-- 
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
http://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]