Re: nftables: drop ssh brute force with ip block

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Irwin L." <biatche@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables: drop ssh brute force with ip block
Date: Thu, 23 Jun 2016 12:34:30 +0200	[thread overview]
Message-ID: <20160623103430.GA10616@salvia> (raw)
In-Reply-To: <5766E34B.4040008@gmail.com>

On Mon, Jun 20, 2016 at 02:24:11AM +0800, Irwin L. wrote:
> As subject says.
> 
> tcp dport {22} counter limit rate 3/minute counter accept comment "avoid
> brute force"
> 
> I've tried something like this, but it seems to limit ALL ips.
> I would prefer to block the ip address for 24 hours or something.

Try something like:

# nft add rule x y tcp dport 22 \
        flow table ssh-bruteforce { ip saddr limit rate 3/minute } \
                accept comment \"avoid brute force\"

This is ratelimiting based on the source IP address.

You can consult the content of this flow table via:

# nft list flow table x ssh-bruteforce
...

The current output of this specific command is not stable,

You require a relatively recent kernel and nft 0.6 to get this
working.

BTW, please don't use:

        tcp dport { 22}

The curly braces have very specific semantics, ie. they are requesting
the kernel to create a set. In this specific case, this is overkill
since this will create a set with *only one single element*. Thus:

        tcp dport 22

is better.

next prev parent reply	other threads:[~2016-06-23 10:34 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-19 18:24 nftables: drop ssh brute force with ip block Irwin L.
2016-06-23 10:34 ` Pablo Neira Ayuso [this message]
2016-06-23 10:39   ` Irwin L.
2016-06-23 10:48     ` Pablo Neira Ayuso
2016-06-23 10:55       ` Irwin L.
2016-06-23 11:01         ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160623103430.GA10616@salvia \
    --to=pablo@netfilter.org \
    --cc=biatche@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.