Portsentry and too many iptables rules?
James McDonald
james at jamesmcdonald.id.au
Sun Jul 13 21:58:06 PDT 2008
Shawn Tayler wrote:
> Hi Guys,
>
> The large number of DROP rules stems from nearly a year of continuous uptime
> and the lovely old Psionic Portsentry application creating drop rules on
> every scan and bogus connection attack, although it does miss port 22 and 25,
> I'd like to add something to catch ssh logins who fail after say 3 tries, any
> suggestions would be appreciated.
>
> I pulled the rules list and clearwed the dups and I'm down to 46,000 and
> change. I'll try and filter down to net segments to lower this further.
> Suggested methods?
>
> Shawn
>
>
iptables has the ability to say for example. If I get 3 connections in
Xseconds they ban any connections from that IP Address for Xsec/minutes
Google Australia is down at the moment so I can't send you an example
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m
state --state NEW -m limit --limit 3/minute -m connlimit
--connlimit-above 2 --connlimit-mask 29 -j ACCEPT
More information about the Linux-users
mailing list