ftp hammer rule help

ftp hammer rule help

[Adam De Paolis]

[-- Attachment #1: Type: text/plain, Size: 606 bytes --]

I am trying to create a rule which will prevent users from hammering my ftp site when its busy. A rule which say will drop userlogin if their is 3 attempts in 1 minute.

I believe the match recent rule is what I need to get working but I don't have it working.  This is what I have so far (thanks to stephen frost, but it doesnt seem to work. 

The firewall machine is my ftp server, both are on the same computer:

iptables -A FORWARD -m recent --name ftpconn --rcheck --seconds 60 --hitcount 3 -j DROP
iptables -A FORWARD -p tcp -d aa.bb.cc.dd/32 --dport 21 -m recent --name ftpconn --set -j DRO

[-- Attachment #2: Type: text/html, Size: 1220 bytes --]

Re: ftp hammer rule help

[Stephen Frost]

[-- Attachment #1: Type: text/plain, Size: 975 bytes --]

* Adam De Paolis (adepaolis@rogers.com) wrote:
> I am trying to create a rule which will prevent users from hammering my ftp site when its busy. A rule which say will drop userlogin if their is 3 attempts in 1 minute.
> 
> I believe the match recent rule is what I need to get working but I don't have it working.  This is what I have so far (thanks to stephen frost, but it doesnt seem to work. 
> 
> The firewall machine is my ftp server, both are on the same computer:
> 
> iptables -A FORWARD -m recent --name ftpconn --rcheck --seconds 60 --hitcount 3 -j DROP
> iptables -A FORWARD -p tcp -d aa.bb.cc.dd/32 --dport 21 -m recent --name ftpconn --set -j DRO

Can you say what does happen..?  Also, cat /proc/net/ipt_recent/ftpconn
and see what's there.  It also looks like maybe you have it set up
incorrectly in the second rule, you want to ACCEPT there until they
reach the limit which is in the first rule, and then they'll be dropped
there.

	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]