$ipt -N SSH_Brute_Force
$ipt -A INPUT -p tcp --dport 22 -m state --state NEW -s ! $MyIP -j SSH_Brute_Force
$ipt -A SSH_Brute_Force -m recent --set --name SSH
$ipt -A SSH_Brute_Force -m recent ! --rcheck --name SSH --seconds 60 --hitcount 3 -j RETURN
$ipt -A SSH_Brute_Force -m recent --name SSH --update
$ipt -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
$ipt -A SSH_Brute_Force -j DROP
Hi all
Would it not be possible to base the the ruleset, based on connection suceeded.
For example, At my home I have a dialup account (dynamic ip). So if I need to SSH in my hosting box, I cant, because of the ruleset ( $myip will be the works static ip) .
Is there not a away to have iptables look at if the connection was succesful or not (not based on source ip of $myip). So if I am able to ssh (logged in etc)in to my box, then doesnt iptables see that as ESTABLISED and RELATED (Normally placed as one of the first entrys in your ruleset). But if Ive I not been successful then connection attempt again will be considered as NEW.
So my question is, cant we make iptables see the number of NEW connections / attempts (Basically dictionary attack) given in a time frame. And if the number of NEW connections exceed a certain time frame. Then start DROP or TARPIT.
Just something I was thinking
Kind Regards Brent Clark
