Re: blocking brute force attempts using iptables

Fri, 17 Oct 2008 17:57:08 -0700 

ok this appears to be working, not sure if its the correct way to do it
though:

# FTP Brute force protection
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j FTPNEW
$IPTABLES -A FTP2 -m recent --set --name FTPBLOCK --rsource
$IPTABLES -A FTP2 -j LOG --log-prefix "FTP BRUTE FORCE: " --log-level 6
$IPTABLES -A FTP2 -j DROP
$IPTABLES -A FTPBF -p tcp -m tcp --dport 21 -j DROP
$IPTABLES -A FTPNEW -m recent --rcheck --name FTPBLOCK --rsource -j FTPBF
$IPTABLES -A FTPNEW -m recent --set --name FTP --rsource
$IPTABLES -A FTPNEW -m recent --update --seconds 120 --hitcount 10 --name
FTP --rsource -j FTP2
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A FTPNEW -j RETURN

On Sat, Oct 18, 2008 at 11:23 AM, Stephen Vaughan
<[EMAIL PROTECTED]>wrote:

>
> ok correction, this is the proper ruleset:
>
> $IPTABLES -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j FTPNEW
> $IPTABLES -A FTP2 -m recent --set --name FTPBLOCK --rsource
> $IPTABLES -A FTP2 -j LOG --log-prefix "FTP BRUTE FORCE: " --log-level 6
> $IPTABLES -A FTP2 -j DROP
> $IPTABLES -A FTPBF -p tcp -m tcp --dport 21 -j DROP
> $IPTABLES -A FTPNEW -m recent --rcheck --name FTPBLOCK --rsource -j FTPBF
> $IPTABLES -A FTPNEW -m recent --set --name FTP --rsource
> $IPTABLES -A FTPNEW -m recent --update --seconds 120 --hitcount 6 --name
> FTP --rsource -j FTP2
>
> first rule is different, so again, this doesn't open port 21, where do I
> need to place a rule like --dport 21 -j ACCEPT?
>
>
> On Sat, Oct 18, 2008 at 12:57 AM, Pascal Hambourg <
> [EMAIL PROTECTED]> wrote:
>
>> Stephen Vaughan a écrit :
>>
>>> I don't follow... that is not my entire ruleset, but everything for the
>>> brute force is there..
>>>
>>
>> No it's not. In order to be effective, user-defined chains have to be
>> called by another rule from a built-in chain (INPUT, OUTPUT, FORWARD...),
>> and I do not see such a rule here.
>>
>>
>>
>> --
>> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>> with a subject of "unsubscribe". Trouble? Contact
>> [EMAIL PROTECTED]
>>
>>
>
>
> --
> Best Regards,
> Stephen
>



-- 
Best Regards,
Stephen

Reply via email to