Subject: | |
From: | |
Reply To: | |
Date: | Thu, 2 Oct 2008 10:17:47 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
I was just trying to understand this solution, but I can't find any documentation for "recent" . Where can I find out more about
it? It is not mentioned in "man iptables"
Mark Stodola wrote:
> Sorry I haven't been following this whole thing, but I caught the last
> few. As far as a real-time solution, I use iptables. It doesn't care
> if a login failed or succeeded, it just counts the rate of connection.
> You can play with it a bit, depending on how many users hit your machine
> and how often. It is on a per-host basis, so 3 people from 3 different
> machines won't trip it, however 3 connections from a single machine in
> less than a minute will. Easily tweaked using lines 2 and 3. This
> stops all of those automated brute-force attack for me, and I haven't
> locked myself out (yet).
>
> My sample script:
>
> #
> # SSH FLOOD PROTECTION
> #
>
> # create our new limiting chain where we can send everything to be limited.
> ${IPTABLES} -N mylimit
>
> # demand XX seconds of silence from a host that has been flagged as
> flooding.
> ${IPTABLES} -A mylimit -m recent --update --seconds 604800 -j DROP
>
> # if the host is not flagged for flooding, and has not started to flood
> in the last minute,
> # bounce their connection back where it came from for further rule
> matching.
> ${IPTABLES} -A mylimit -m limit --limit 2/m --limit-burst 3 -j RETURN
>
> # They have started to flood, drop their connection and flag them.
> ${IPTABLES} -A mylimit -m recent --set -j DROP
>
> # shunt NEW ssh connections over to MyLimit to be limited
> ${IPTABLES} -A INPUT -i ${EXTIF} -p tcp --dport ssh -m state --state NEW
> -j mylimit
>
> Cheers,
> Mark
--
Alex Finch, Research Fellow, Physics Department, Lancaster University.
+44 (0) 1524 593618 http://www.lancs.ac.uk/depts/physics/staff/ajf.htm
|
|
|