On Mon, Jun 20, 2016 at 02:24:11AM +0800, Irwin L. wrote:
> As subject says.
>
> tcp dport {22} counter limit rate 3/minute counter accept comment "avoid
> brute force"
>
> I've tried something like this, but it seems to limit ALL ips.
> I would prefer to block the ip address for 24 hours or something.
Try something like:
# nft add rule x y tcp dport 22 \
flow table ssh-bruteforce { ip saddr limit rate 3/minute } \
accept comment \"avoid brute force\"
This is ratelimiting based on the source IP address.
You can consult the content of this flow table via:
# nft list flow table x ssh-bruteforce
...
The current output of this specific command is not stable,
You require a relatively recent kernel and nft 0.6 to get this
working.
BTW, please don't use:
tcp dport { 22}
The curly braces have very specific semantics, ie. they are requesting
the kernel to create a set. In this specific case, this is overkill
since this will create a set with *only one single element*. Thus:
tcp dport 22
is better.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
