Re: use of the limiting options

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Josh Nerius <jnerius@gmail.com>
To: Tib <tib@tigerknight.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: use of the limiting options
Date: Sun, 30 Jan 2005 21:44:48 -0600	[thread overview]
Message-ID: <4f3930a7050130194460efd21a@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.53.0501251248340.24829@altaica>

Hello, 

A few thoughts/comments on your situation.  

1. You are correct, limit does not keep track of source. You may find
the 'recent' module useful if you wish to do this.

2. You may want to simplify things by easing up on the limit. Doing
something like 1/minute with a burst of 3 would still prevent
bruteforcing (or your password ir *really* insecure ;-) ) but at the
same time, give you a little more protection from DoS.

3. In the setup you mention, the limit would *not* reset itself every
10 minutes. limit basically says, "ok, he said 6 in an hour, so if I
see 6 in the first 5 seconds,  that's it for the rest of this hour..."
(and the burst is just the number of packets it has to see in the
given time increment before it'll start counting off hits)

4. As Mark mentioned, you definitely want to add a rule to accept
packets that are related to an already established ssh connection.
Otherwise, as he mentioned, once your connection is established, it'd
use up all the packets alloted in limit and then your ssh session
would die. A rule like `iptables -I INPUT -i eth0 -p tcp --dport 22 -m
state --state ESTABLISHED -j ACCEPT` would do this quite nicely.
Notice the -I INPUT...this can be changed to -A but the -I will put it
at the top of your chain. This rule needs to be above the limit rule
in order to function properly.

5. Don't let Jason get to you :-P

Hope this information proves to be helpful :-)

Josh Nerius

-- 
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]

On Tue, 25 Jan 2005 12:54:54 -0600 (CST), Tib <tib@tigerknight.org> wrote:
> 
> I'd like to use the --limit and --limit-burst options to protect my sshd
> from dictionary password attacks. Considering the userbase and activity
> level I'd say that something like this would suit me just fine.
> 
> --limit 6/hour
> --limit-burst 2
> 
> This would limit it to two connect/login attempts at first, and then one
> more every 10 minutes.. correct?
> 
> Would this be the proper command to use? I'm trying to just limit
> connections from the outside world, not from the local network, hence the
> address as a destination:
> 
> iptables -A INPUT --d 66.80.174.210 --dport 22   \
>    --limit 6/hour --limit-burst 2
> 
> <EOL>
> Tib
> 
>

next prev parent reply	other threads:[~2005-01-31  3:44 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-25 18:54 use of the limiting options Tib
2005-01-25 19:08 ` Tib
2005-01-25 19:28   ` Tib
     [not found]     ` <294d5daa0501251137328fa4ff@mail.gmail.com>
     [not found]       ` <Pine.LNX.4.53.0501251340370.24829@altaica>
2005-01-25 19:51         ` Mark Moseley
2005-01-25 19:56           ` Tib
2005-01-25 20:17             ` Mark Moseley
2005-01-25 20:22               ` Tib
2005-01-26  7:58                 ` Tib
2005-01-26 18:43                   ` Mark Moseley
2005-01-28 21:32                     ` Tib
     [not found]                     ` <7096989.1107132520756.JavaMail.rct@kale>
2005-01-31 19:00                       ` Bob Tellefson
2005-01-26 16:17 ` Jason Opperisano
2005-01-28 21:29   ` Tib
2005-01-31  3:44 ` Josh Nerius [this message]
2005-01-31  5:52   ` R. DuFresne
2005-03-02 10:33   ` forwarding internet connection elg3ne
2005-03-02 10:41     ` Essien Ita Essien
2005-03-02 12:34     ` Jörg Harmuth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4f3930a7050130194460efd21a@mail.gmail.com \
    --to=jnerius@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=tib@tigerknight.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.