On Sunday 2005-September-04 00:01, I wrote:
> The new "Ssh" chain does this:
> -A Ssh -m state --state ESTABLISHED -j ACCEPT
> -A Ssh -m limit --limit 3/m -j ACCEPT
> -A Ssh -m limit --limit 1/m j LOG --log-prefix "SSH attack: "
[ note, a typo here ----------^ "-j" ]
> -A Ssh -j REJECT
[snip]
> Another curious thing about the --limit is that when I stress test
> it: for X in `seq 99` ; do
> echo $X | nc target.hostname ssh & echo -n $X
> done
> with 3/m I get 5 connections through, and usually about 5 logged with
> the 1/m limit. That test just now got 8 connections through (not all
> made it in the first minute.)
RTFM:
--limit-burst number
Maximum initial number of packets to match: this number gets
recharged by one every time the limit specified above is not
reached, up to this number; the default is 5.
So I've changed the above:
-A Ssh -m state --state ESTABLISHED -j ACCEPT
-A Ssh -m limit --limit 3/m --limit-burst 3 -j ACCEPT
-A Ssh -m limit --limit 1/m --limit-burst 1 -j LOG --log-prefix "SSH attack: "
-A Ssh -j REJECT
I still got 8 packets of the 99 through, but only 2 were logged, one
minute apart.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
