On Tue, 2006-06-13 at 13:31 +0200, Rainer Traut wrote: > Hi, > > jdow schrieb: > > >> sth like this? > >> this is from my iptables script, you have to adjust the variables. > >> > >> $ipt -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --name > >> SSH --update --seconds 60 --hitcount 4 -j LOG_DROP > >> > >> $ipt -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --name > >> SSH --set > >> > >> Rainer > > > > I do it a little more thoroughly - I log the attempts after timeouts. > > > > # Then setup the reject trap. > > $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > > $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ > > --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: ' > > $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ > > --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset > > > > hmm, I'm logging them, too. > But you're rejecting them and that is more convenient for the attacker, > isn't it? > This way he doesn't have half open tcp connections which sooner or later > hurt him. > I use the DROP, but I cannot see where your target LOG_DROP is in the man page so I cannot tell if this is a valid target. The man page says to use 2 lines, one to do the logging and the second to DROP/REJECT the packet. I prefer DROP to REJECT because I do not want to send _anything_ back to the attacker. Also, the sequence of yours seems wrong. When a packet is dropped or rejected the chain terminates so the next line would never get processed.
