Ashley M. Kirchner wrote:
Hey all,
I have the following lines in my iptables config file to curb ssh
knocking on our servers:
# Let's see if we can curb SSH attacks.
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: "
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
This works great...EXCEPT it also blocks our own access to the
servers if we need to get on them in a short amount of time (less than
120 seconds). So how can I still implement the above blocking, but
allow anything from our different subnets (we have 4) come through
without going through that block routine?
Allow your subnets before the above rules. Here's a sample rule:
-A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
# subnet ^^^^^^^^^^^
You'd need one rule for each subnet.
hth