I've used the "recent" trick to keep out bulk login attempt,
particularly for some publically accessable FTP sites my company runs:
-A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update
--seconds 600 --hitcount 10 -j DROP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
It works fine on basic server setups, however I've seen this not work
properly on machines that have ethernet aliases ("eth0", "eth0:1", etc).
Basically it blocks either too soon or just blocks the port
completely even on the first attempt. Does the exact network alias need
to be specified in the rules for these cases, or is there some other
limitation I may not be aware of?
--
Alan Garrison <agarrison@xxxxxxxxxxxx>
(216) 221-4600 x 308
