> From Matthew Schumacher on Monday, May 21, 2007 6:35 PM
>
> I agree with Blake, while I can do it with IPtables it's not
> a good solution.
>
> The first iptables suggestion blocked the offending IP, which
> is fine, but also requires me to babysit the server. The
> second suggestion would correctly limit connections, but if
> I'm reading it right, would lump all connections together,
> not just connections per originating IP address.
If you are talking about the suggestion I made, which looked like this:
iptables -A INPUT -p tcp --dport 22 \
-m state --state NEW \
-m recent --update --seconds 60 -j DROP
iptables -A INPUT -p tcp --dport 22 \
-m state --state NEW \
-m recent --set -j ACCEPT
then you did not read it right. It limits to one connection per IP address per minute. Each source address is kept track of in enforcing the limit. Using the --hitcount option in addition to the --seconds option, you can also create limits such as a maximum of four connections in two minutes, etc.
David
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
