В Пнд, 26/04/2010 в 16:34 +0200, Pascal Hambourg пишет: > Hello, > > Richard Horton a écrit : > > > > A better option would be to drop ssh connections if the number of > > attempts from a single ip address exceedes an acceptable limit > > Preferably the number of *failed* attempts. That's what fail2ban and the > like do. > > > can't see many legit uses for ssh where you you connect and > > disconnect multiple times within a 1 minute window) > > What about scp ? Regarding my rules multiple sequential scp attempt will get slow, but sftp won't. > > This can be done using either hashlimit or the recent matches... > > They don't know about failed attemps. And this might be not needed. Fail2ban is more specific solution but also is more complex and heavy. In my enviroment I haven't been feeling iptables is insuficient and I need fail2ban, nevertheless, it should be considered in other enviroments. -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
