Re: nftables: drop ssh brute force with ip block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 2016-06-23 18:34, Pablo Neira Ayuso wrote:
On Mon, Jun 20, 2016 at 02:24:11AM +0800, Irwin L. wrote:
As subject says.

tcp dport {22} counter limit rate 3/minute counter accept comment "avoid
brute force"

I've tried something like this, but it seems to limit ALL ips.
I would prefer to block the ip address for 24 hours or something.
Try something like:

# nft add rule x y tcp dport 22 \
         flow table ssh-bruteforce { ip saddr limit rate 3/minute } \
                 accept comment \"avoid brute force\"

This is ratelimiting based on the source IP address.

You can consult the content of this flow table via:

# nft list flow table x ssh-bruteforce
...

The current output of this specific command is not stable,

You require a relatively recent kernel and nft 0.6 to get this
working.

BTW, please don't use:

         tcp dport { 22}

The curly braces have very specific semantics, ie. they are requesting
the kernel to create a set. In this specific case, this is overkill
since this will create a set with *only one single element*. Thus:

         tcp dport 22

is better.
I currently use:
tcp dport {22222,40022,42222} ct state new counter flow table bruteforce { ip saddr limit rate 3/minute } counter accept comment "limit bruteforce"

Is this ok?

I wanted to ban spamming ips altogether, but I've since learned that this is the job of 'fail2ban'

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux