[lug] iptables help
Paul Nowosielski
paulnowosielski at yahoo.com
Tue Feb 15 16:19:57 MST 2011
Dear All,
I have a iptables script that helps to stop
brute force ssh attacks.
The rules are supposed to drop
the IP for 180 seconds if they make more then 3 unsuccessful
login attempts via ssh.
But it blocks an rsync via ssh process after 3 successful logins from $CRM_CA.
The script needs to run perpetually but
is being dropped.
Here is the meaningful snippet.
# allow ssh
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m
state --state ESTABLISHED -j ACCEPT
# always allow from CA systems
iptables -A INPUT -j ACCEPT -p all -s $CRM_CA
iptables -A OUTPUT -j ACCEPT -p all -d $CRM_CA
# slow down brute force
iptables -I INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
--name DEFAULT --rsource
iptables -I INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 180 --hitcount 3 --name DEFAULT --rsource -j DROP
I really don't want to remove the logic to drop an IP after 3 login attempts
because it work so well.
Does anyone see a simple solution to my problem?
Thank you,
Paul
More information about the LUG
mailing list