[olug] Help w/ my server

Christopher Cashell topher-olug at zyp.org
Mon Jul 23 22:20:54 UTC 2012

On Mon, Jul 23, 2012 at 4:59 PM, Lou Duchez <lou at paprikash.com> wrote:
> On 7/23/2012 5:56 PM, Christopher Cashell wrote:
>> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit
>> --limit 1/min --limit-burst 4 -j ACCEPT
>> Now you have built-in protection against brute-force attacks at the
>> kernel-level, without relying on an external program, or recognizing
>> the failed logins later via log watching.
> That is swank, thank you!

There's also an alternate way of accomplishing essentially the same thing,
depending on how you want to implement it, and what your goals are.  The
above is used as your ACCEPT line for SSH.  Basically it only ACCEPTs the
packet if, if no more than 1 SYN packet is received from a single IP within
1 minute (with a 4 SYN burst allowed (some apps will send multiple SYNs
when trying to establish a connection)).

You can also do it this way:

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
--name abusers --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update
--seconds 180 --hitcount 6 --name abusers --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

In this case, we start by setting up a rule that watches how many hits we
get from each IP address.  Then we have a rule that kicks in to explicitly
DROP any packets when we've exceeded our hitcount.  In this case, it's 6
SYN packets in a 3 minute period.  Finally, if our DROP rule hasn't kicked
in, it falls through to an ACCEPT.

Personally, I prefer the earlier setup, as it's simpler and does the trick
just fine for simple cases.  This method could be useful in certain
situations, though.


More information about the OLUG mailing list