have higher up rules that allow you to do it :) On Tue, Sep 18, 2007 at 11:53:24AM -0600, Ashley M. Kirchner (ashley@xxxxxxxxxx) wrote: > > Hey all, > > I have the following lines in my iptables config file to curb ssh > knocking on our servers: > > # Let's see if we can curb SSH attacks. > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck > --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: " > > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck > --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset > > > This works great...EXCEPT it also blocks our own access to the > servers if we need to get on them in a short amount of time (less than > 120 seconds). So how can I still implement the above blocking, but > allow anything from our different subnets (we have 4) come through > without going through that block routine? > > -- > W | It's not a bug - it's an undocumented feature. > +-------------------------------------------------------------------- > Ashley M. Kirchner <mailto:ashley@xxxxxxxxxx> . 303.442.6410 x130 > IT Director / SysAdmin / Websmith . 800.441.3873 x130 > Photo Craft Imaging . 3550 Arapahoe Ave. #6 > http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A. > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
