David S. Madole wrote:
From Matthew Schumacher on Monday, May 21, 2007 6:35 PM
The first iptables suggestion blocked the offending IP, which is
fine, but also requires me to babysit the server. The second
suggestion would correctly limit connections, but if I'm reading it
right, would lump all connections together, not just connections
per originating IP address.
If you are talking about the suggestion I made, which looked like
this:
iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m
recent --update --seconds 60 -j DROP
iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m
recent --set -j ACCEPT
then you did not read it right. It limits to one connection per IP
address per minute. Each source address is kept track of in enforcing
the limit. Using the --hitcount option in addition to the --seconds
option, you can also create limits such as a maximum of four
connections in two minutes, etc.
I also use this for blocking brute force SSH attacks, and can't
understand why anyone would choose a log parsing script instead. It
stops them dead in their tracks (even with a much lower time limit). It
would be interesting if it could also be applied to POP3. Your logs
indicate that a much lower time limit would suffice (not sure why your
second line is -1 seconds after the first, though). Even if the protocol
allows it, I'm willing to bet you'll find some brain-dead mail client
that has problems, though.
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
