-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Van den Wildenbergh wrote: > Peter Van den Wildenbergh wrote: > >> Gustin Johnson wrote: >> >>> # Block more than 3 ssh attempts in 1 minute. >>> $IPTABLES -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m >>> recent --set >>> >>> $IPTABLES -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m >>> recent --up date --seconds 60 --hitcount 4 -j DROP >>> >>> > Got this working (after I figured out that --update is one word without > a space.) > However it works on the actual box running the sshd > My ultimate goal is to block it on the IpCop box that > doesn the NATting and portforwarding to the actual box. > > Any more ideas? I am quite happy with this already! Thank you > Well, since you are port forwarding ssh through the ipcop box, you could try the FORWARD chain instead of the INPUT one. Your custom iptables stuff should go in /etc/rc.d/rc.local
Most of my machines are net facing so this rule was developed for the machines running ssh, not an ipcop box. If you successfully write some rules for ipcop, please let the list know. You can also prepend a custom string to the logs with: LOG --log-prefix "SSH brute Force? " at the end of your iptables rule to help with filtering etc. You can also put this: >/dev/null 2>&1 at the end to not log that rule at all. Cheers, Gustin > Peter > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEt+XWwRXgH3rKGfMRAjFNAJ9yntqRDq55nyMyh8OzKKmvO3z9SQCcD0vO pyrLFNx9TD9exnFo+8RoIdQ= =9Ke6 -----END PGP SIGNATURE----- _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
