These rules only block out the offending IP. All others remain un-blocked. > -----Original Message----- > From: Alex Efros [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 02, 2005 3:54 PM > To: [email protected] > Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs > > Hi! > > On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote: > > These are the rules that I'm using. > > > > # Track connections to SSH > > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK > > FIN,ACK \ > > --dport 22 -m recent --name SSH --set > > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST > \ > > --dport 22 -m recent --name SSH --set > > > > # Drop if connection rate exceeds 4/minute > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > > --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix > > "SSH_limit: " > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > > --rcheck --seconds 60 --hitcount 4 -j DROP > > > > # Drop if connection rate exceeds 20/hour > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > > --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix > > "SSH_limit: " > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > > --rcheck --seconds 3600 --hitcount 20 -j DROP > > What about DoS because of these rules? Imagine somebody run SSH > connections to your host every 10 seconds while you don't have > already-opened SSH connection to server...... In this case you never > will have a chance to log in to your server (and fix this issue)?! > > -- > WBR, Alex. > -- > [email protected] mailing list
-- [email protected] mailing list
