On 2016-06-23 18:34, Pablo Neira Ayuso wrote:
On Mon, Jun 20, 2016 at 02:24:11AM +0800, Irwin L. wrote:
As subject says.
tcp dport {22} counter limit rate 3/minute counter accept comment "avoid
brute force"
I've tried something like this, but it seems to limit ALL ips.
I would prefer to block the ip address for 24 hours or something.
Try something like:
# nft add rule x y tcp dport 22 \
flow table ssh-bruteforce { ip saddr limit rate 3/minute } \
accept comment \"avoid brute force\"
This is ratelimiting based on the source IP address.
You can consult the content of this flow table via:
# nft list flow table x ssh-bruteforce
...
The current output of this specific command is not stable,
You require a relatively recent kernel and nft 0.6 to get this
working.
BTW, please don't use:
tcp dport { 22}
The curly braces have very specific semantics, ie. they are requesting
the kernel to create a set. In this specific case, this is overkill
since this will create a set with *only one single element*. Thus:
tcp dport 22
is better.
I currently use:
tcp dport {22222,40022,42222} ct state new counter flow table bruteforce
{ ip saddr limit rate 3/minute } counter accept comment "limit bruteforce"
Is this ok?
I wanted to ban spamming ips altogether, but I've since learned that
this is the job of 'fail2ban'
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
