*** For details on how to be removed from this list visit the *** *** CCP4 home page http://www.ccp4.ac.uk ***
On Fri, Jun 16, 2006 at 09:13:53AM +0200, Kay Diederichs wrote: > > On my RHEL4-clones I replace the usual line in /etc/syconfig/iptables > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j > ACCEPT > > with > > -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent > --name SSH --update --seconds 60 -j DROP I think this should technically be --rcheck rather than --update, but it'll work either way. > -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent > --name SSH --set -j ACCEPT > > This works "out of the box" on RHEL4. What it does is that it reduces > the rate of ssh login attempts per IP to one per minute; an ongoing > unsuccessful attempt essentially blocks the ssh port for this IP. The > net result is that "ssh attacks" are blocked after one trial, but normal > usage by remote users is (transparently) possible - however if they make > a typo during logging in by ssh, they must wait one minute until the > next attempt (of course this could be adjusted down to 20 seconds or so). > Alternatively, you can set the number of login attempts allowed per unit time (yanked from an SSH table I jump to every time a NEW connection is attempted): -A SSH -m recent --name SSH --set --rsource -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH \ ---rsource -j RETURN -A SSH -j DUMP Grant Taylor on the netfilter mailing list is a guru on this sort of thing, I'd recommend his scripts for reference/information: http://lists.netfilter.org/pipermail/netfilter/2005-June/060914.html http://lists.netfilter.org/pipermail/netfilter/2005-June/061362.html HTH, Tim -- --------------------------------------------------------- Tim Fenn [EMAIL PROTECTED] Stanford University, School of Medicine James H. Clark Center 318 Campus Drive, Room E300 Stanford, CA 94305-5432 Phone: (650) 736-1714 FAX: (650) 736-1961 ---------------------------------------------------------
