[lug] iptables help

Lee Woodworth blug-mail at duboulder.com
Tue Feb 15 16:32:57 MST 2011


On 02/15/2011 04:19 PM, Paul Nowosielski wrote:
> Dear All,
> 
> I have a iptables script that helps to stop
> brute force ssh attacks.
> 
> The rules are supposed to drop
> the IP for 180 seconds if they make more then 3 unsuccessful
> login attempts via ssh.
> 
> But it blocks an rsync via ssh process after 3 successful logins from $CRM_CA.  
> The script needs to run perpetually but
> is being dropped.
> 
> 
> Here is the meaningful snippet.
> 
> # allow ssh
> 
> iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m 
> state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m 
> state --state ESTABLISHED -j ACCEPT
> 
> # always allow from CA systems
> 
> iptables -A INPUT -j ACCEPT -p all -s $CRM_CA
> iptables -A OUTPUT  -j ACCEPT -p all -d $CRM_CA
> 
> # slow down brute force
> 
> iptables -I INPUT  -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set 
> --name DEFAULT --rsource
> iptables -I INPUT  -p tcp -m tcp --dport 22 -m state --state NEW -m recent 
> --update --seconds 180 --hitcount 3 --name DEFAULT --rsource -j DROP

If I am reading the man page correctly, these two rules are getting inserted at
the front of the INPUT chain. Is that what you intended?




More information about the LUG mailing list