Chris Shoemaker wrote: > I didn't know about ipt recent. I've been using: > -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack > --ctstate NEW -m recent --set --name sshscans > -A RH-Firewall-1-INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name > sshscans -j LOG --log-prefix "SSH attack: " > -A RH-Firewall-1-INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name > sshscans -j DROP
Off-topic, but I've been using sshdfilter for a while now, and it seems to limit the number of brute force attack attempts on my SSH server. http://www.csc.liv.ac.uk/~greg/sshdfilter/ The script wraps sshd and watches its output for illegal user attempts or bad passwords. Enough of either, and it adds the source IP to an iptables rule to be dropped. After a while, the IP gets removed from the rule, but that's usually after the scanner has moved on. I'm not sure how well this would work with a higher traffic SSH server. -- Scott
signature.asc
Description: OpenPGP digital signature
_______________________________________________ gnucash-devel mailing list [email protected] https://lists.gnucash.org/mailman/listinfo/gnucash-devel
