From: "J. Bakshi" <joydeep@infoservices.in>
To: Richard Horton <arimus.uk@googlemail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: How to block particular port based on src IP ?
Date: Fri, 16 Apr 2010 16:07:23 +0530 [thread overview]
Message-ID: <4BC83DE3.5020506@infoservices.in> (raw)
In-Reply-To: <r2h56378e321004160246rd9958653p7fa5605e8240589a@mail.gmail.com>
On 04/16/2010 03:16 PM, Richard Horton wrote:
> On 13 April 2010 07:51, J. Bakshi <joydeep@infoservices.in> wrote:
>
>
>
>> I am trying to make an arrangement that rather blocking the IP,; only
>> the access to the ssh port will be blocked from that IP. So the other
>> services i.e. imap, apache will be still accessible from the IP
>> excluding ssh. Is it possible ?
>>
>
> Yes. All you need do is change your drop rule to the following:
> iptables -A INPUT -p tcp --dport ssh -m mark --mark 0x1 -m recent
> --set --name sshoverflow
> --rsource -j DROP
>
> The way the rule works is effectively a logical and so its say if the
> destination is the ssh port and the ip address is in the recent list
> then drop the packet. This way only ssh is denied to the bad guy
> rather than everything... might be better to use, for instance,
> iptables -A INPUT -p tcp -m multiport --dports ssh -m mark --mark 0x1
> -m recent --set --name sshoverflow
> --rsource -j DROP
>
> You can then add other services prone to brute force attacks to the drop list...
>
> (Taken me a while to reply as I've been preoccupied with work and
> broken cheekbone thanks to some drunk chavs :()
>
>
>
GREAT !!!
AWESOME !!!
SWEET !!
Exactly what I'm looking since long. Now the overflow connection attempt
droped but the other services are still available. Though the blacklist
interval is taking more than what is defined in the config. here is the
codes
```````````````````````````
iptables -A INPUT -p tcp -m hashlimit --hashlimit-above 2/min
--hashlimit-burst 2 \
--hashlimit-name hashlimit -m state --state NEW -m tcp --dport $SSH_PORT
-j \
MARK --set-xmark 0x1/0xffffffff
iptables -A INPUT -p tcp --dport $SSH_PORT -m recent --rcheck --seconds
60 --name sshoverflow --rsource -j DROP
iptables -A INPUT -p tcp --dport $SSH_PORT -m mark --mark 0x1 -m recent \
--set --name sshoverflow --rsource -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -j ACCEPT
`````````````````````````
the interval is set to 60 sec as above. but practically it is taking
``````````````
real 1m52.044s
``````````
measured by *time*
Except the interval ; everything else is running well.
many many thanks..
--
জয়দীপ বক্সী
next prev parent reply other threads:[~2010-04-16 10:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-13 6:51 How to block particular port based on src IP ? J. Bakshi
2010-04-16 9:46 ` Richard Horton
2010-04-16 10:37 ` J. Bakshi [this message]
-- strict thread matches above, loose matches on Subject: below --
2010-04-14 3:18 J. Bakshi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BC83DE3.5020506@infoservices.in \
--to=joydeep@infoservices.in \
--cc=arimus.uk@googlemail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.