At 11:53 AM -0600 9/18/07, Ashley M. Kirchner wrote: > Hey all, > > I have the following lines in my iptables config file to curb ssh >knocking on our servers: > ># Let's see if we can curb SSH attacks. >-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > >-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck >--seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: " > >-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck >--seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset > > > This works great...EXCEPT it also blocks our own access to the >servers if we need to get on them in a short amount of time (less than >120 seconds). So how can I still implement the above blocking, but >allow anything from our different subnets (we have 4) come through >without going through that block routine? I use pam_recent, from <http://snafu.priv.at/mystuff/recent-plus-pam.html> , to remove successful logins from the sshattack list. As I have additional delays for the persistent attacker, it's really important to remove the successful logins. My rules actually cover the range 21:22 to protect both FTP and SSH. I use ip_conntrack_ftp, set as an entry in the IPTABLES_MODULES line in /etc/sysconfig/iptables-config. -- ____________________________________________________________________ TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx> ' <http://www.georgeanelson.com/>
