Hi!
On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
> These are the rules that I'm using.
>
> # Track connections to SSH
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
> FIN,ACK \
> --dport 22 -m recent --name SSH --set
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
> --dport 22 -m recent --name SSH --set
>
> # Drop if connection rate exceeds 4/minute
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
> "SSH_limit: "
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> --rcheck --seconds 60 --hitcount 4 -j DROP
>
> # Drop if connection rate exceeds 20/hour
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
> "SSH_limit: "
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> --rcheck --seconds 3600 --hitcount 20 -j DROP
What about DoS because of these rules? Imagine somebody run SSH
connections to your host every 10 seconds while you don't have
already-opened SSH connection to server...... In this case you never
will have a chance to log in to your server (and fix this issue)?!
--
WBR, Alex.
--
[email protected] mailing list
