* Using the "recent" module to stop ssh/ftp attacks
@ 2006-09-27 14:28 Alan Garrison
0 siblings, 0 replies; only message in thread
From: Alan Garrison @ 2006-09-27 14:28 UTC (permalink / raw)
To: netfilter
I've used the "recent" trick to keep out bulk login attempt,
particularly for some publically accessable FTP sites my company runs:
-A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update
--seconds 600 --hitcount 10 -j DROP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
It works fine on basic server setups, however I've seen this not work
properly on machines that have ethernet aliases ("eth0", "eth0:1", etc).
Basically it blocks either too soon or just blocks the port
completely even on the first attempt. Does the exact network alias need
to be specified in the rules for these cases, or is there some other
limitation I may not be aware of?
--
Alan Garrison <agarrison@cronosys.com>
(216) 221-4600 x 308
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-09-27 14:28 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-27 14:28 Using the "recent" module to stop ssh/ftp attacks Alan Garrison
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox