Hi,
jdow schrieb:
sth like this?
this is from my iptables script, you have to adjust the variables.
$ipt -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --name
SSH --update --seconds 60 --hitcount 4 -j LOG_DROP
$ipt -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --name
SSH --set
Rainer
I do it a little more thoroughly - I log the attempts after timeouts.
# Then setup the reject trap.
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
hmm, I'm logging them, too.
But you're rejecting them and that is more convenient for the attacker,
isn't it?
This way he doesn't have half open tcp connections which sooner or later
hurt him.
Rainer
