[olug] Help w/ my server

Lou Duchez lou at paprikash.com
Mon Jul 23 22:25:42 UTC 2012

On 7/23/2012 6:20 PM, Christopher Cashell wrote:
> On Mon, Jul 23, 2012 at 4:59 PM, Lou Duchez <lou at paprikash.com> wrote:
>> On 7/23/2012 5:56 PM, Christopher Cashell wrote:
>>> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit
>>> --limit 1/min --limit-burst 4 -j ACCEPT
>>> Now you have built-in protection against brute-force attacks at the
>>> kernel-level, without relying on an external program, or recognizing
>>> the failed logins later via log watching.
>> That is swank, thank you!
> There's also an alternate way of accomplishing essentially the same thing,
> depending on how you want to implement it, and what your goals are.  The
> above is used as your ACCEPT line for SSH.  Basically it only ACCEPTs the
> packet if, if no more than 1 SYN packet is received from a single IP within
> 1 minute (with a 4 SYN burst allowed (some apps will send multiple SYNs
> when trying to establish a connection)).
> You can also do it this way:
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
> --name abusers --rsource
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update
> --seconds 180 --hitcount 6 --name abusers --rsource -j DROP
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
> In this case, we start by setting up a rule that watches how many hits we
> get from each IP address.  Then we have a rule that kicks in to explicitly
> DROP any packets when we've exceeded our hitcount.  In this case, it's 6
> SYN packets in a 3 minute period.  Finally, if our DROP rule hasn't kicked
> in, it falls through to an ACCEPT.
> Personally, I prefer the earlier setup, as it's simpler and does the trick
> just fine for simple cases.  This method could be useful in certain
> situations, though.

Also very swank!  Though I think I'll stick with the earlier one for now 
as well; it seems like a solid solution in one line.

More information about the OLUG mailing list