> And I'll recommend this iptables recipe again. (CentOS 5.3 system - > /etc/sysconfig/iptables -- therefore Redhat, Fedora, SciLinux, Whitebox > should be similar. You'll have to figure it out for if you're using > something else.) > > #+# Handle brute force assaults. > -N SSH_WHITELIST > -A SSH_WHITELIST -s 192.168.42.42 -m recent --remove --name SSH -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent > --set --name SSH > -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j > SSH_WHITELIST > -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG > --log-prefix "SSH_brute_force " > -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP > ### > #+# > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j > ACCEPT
maybe the recent module is smart enough to not double count for the same packet, but you rules would be clearer with a log-drop rule you can jump to. something like: -N LOG-DROP -A LOG-DROP -j LOG -A LOG-DROP -j DROP -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG-DROP that way you invoke the recent module just once and then log and drop based on that. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
