[olug] Help w/ my server
Lou Duchez
lou at paprikash.com
Mon Jul 23 22:25:42 UTC 2012
On 7/23/2012 6:20 PM, Christopher Cashell wrote:
> On Mon, Jul 23, 2012 at 4:59 PM, Lou Duchez <lou at paprikash.com> wrote:
>> On 7/23/2012 5:56 PM, Christopher Cashell wrote:
>>> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit
>>> --limit 1/min --limit-burst 4 -j ACCEPT
>>>
>>> Now you have built-in protection against brute-force attacks at the
>>> kernel-level, without relying on an external program, or recognizing
>>> the failed logins later via log watching.
>> That is swank, thank you!
> There's also an alternate way of accomplishing essentially the same thing,
> depending on how you want to implement it, and what your goals are. The
> above is used as your ACCEPT line for SSH. Basically it only ACCEPTs the
> packet if, if no more than 1 SYN packet is received from a single IP within
> 1 minute (with a 4 SYN burst allowed (some apps will send multiple SYNs
> when trying to establish a connection)).
>
> You can also do it this way:
>
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
> --name abusers --rsource
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update
> --seconds 180 --hitcount 6 --name abusers --rsource -j DROP
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
>
> In this case, we start by setting up a rule that watches how many hits we
> get from each IP address. Then we have a rule that kicks in to explicitly
> DROP any packets when we've exceeded our hitcount. In this case, it's 6
> SYN packets in a 3 minute period. Finally, if our DROP rule hasn't kicked
> in, it falls through to an ACCEPT.
>
> Personally, I prefer the earlier setup, as it's simpler and does the trick
> just fine for simple cases. This method could be useful in certain
> situations, though.
>
Also very swank! Though I think I'll stick with the earlier one for now
as well; it seems like a solid solution in one line.
More information about the OLUG
mailing list