On Wed, 2007-09-19 at 02:22 +0300, kalinix wrote: > On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote: > > Ashley M. Kirchner wrote: > > > Mike Wright wrote: > > > > > >> Allow your subnets before the above rules. Here's a sample rule: > > >> > > >> -A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT > > >> # subnet ^^^^^^^^^^^ > > >> > > >> You'd need one rule for each subnet. > > >> > > >> hth > > > > > > > > > Awesome Mike, that worked like a charm. Thanks! > > > > Very welcome. > > > > > > Somewhat related question: would the same rules work for ftp attacks > > > as well? Obviously replacing the port number with 21, but would they > > > work? Duplicate the lines, replace port and hope that ftp also gets > > > curbed the same way? > > > > > > > I think so. I know that there are connection tracking issues with ftp > > but I don't think that applies here. Each connection starts with an > > initial NEW packet. The initial control session is easy to monitor using the same kind of ruleset used for port 22, but specifying port 21: -A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --set -A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck --seconds 120 --hitcount 2 -j LOG --log-prefix "FTP REJECT: " -A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset If the attacker can't get a control connection, s/he can't get a data connection. Now, if you want to firewall your FTP data connections, you need to use connection tracking: # These rules allow active FTP sessions... -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # These rules allow passive FTP sessions... -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - If at first you don't succeed, quit. No sense being a damned fool! - ----------------------------------------------------------------------