You could adapt this ruleset used to block ssh bruteforce attacks:
( quoting from http://www.la-samhna.de/library/brutessh.html )
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set \
--name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds
60 --hitcount 4 --rttl \
--name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 \
--hitcount 4 --rttl --name SSH -j DROP
For whitelisting, a possible variation (also described by Andrew Pollock)
would be:
(1) Create a custom chain for whitelisting first:
iptables -N SSH_WHITELIST
(2) Whitelist any host(s) that you like:
iptables -A SSH_WHITELIST -s TRUSTED_HOST_IP -m recent --remove --name
SSH -j ACCEPT
(3) Add the blocking rules:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set \
--name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update
\
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix
SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update
\
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP
David.
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
