From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Horton Subject: Re: ssh overflow blacklisting not working properly Date: Mon, 29 Mar 2010 12:54:53 +0100 Message-ID: <56378e321003290454k3e39a5afo525579d7138c1f40@mail.gmail.com> References: <4BB0574A.2060106@infoservices.in> <56378e321003290118i2fd96c99l29f2590743e5fb36@mail.gmail.com> <4BB08644.1060009@infoservices.in> <4BB08D76.9010006@infoservices.in> Mime-Version: 1.0 Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=J14ZWqahXad/8XaagKyO8spi1FOzh6ULvQQQNSY2wcQ=; b=bo885Q4lsapeMEZlZkfmRkikFoRbYd/sBaupAi0R4MMEXHD2xAb765ay2uS3G2lKvF p+UtV4UiSCWOz91oEtvTRdvCuyvafXOs6TDCrvao2A63CLCOXMA2MrqvAduvFTOBZKRs Jq+doTRq+dVxTrTtUe6CMjEpfI05rvKGcMPuE= In-Reply-To: <4BB08D76.9010006@infoservices.in> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: "J. Bakshi" Cc: Jan Engelhardt , netfilter@vger.kernel.org > Could you kindly enlighten me in that direction with possibly little > examples. > # Generated by iptables-save v1.4.5 on Mon Mar 29 12:04:05 2010 *filter :INPUT ACCEPT [1:68] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:68] -A INPUT -p tcp -m hashlimit --hashlimit-above 3/min --hashlimit-burst 1 --hashlimit-name hashlimit -m state --state NEW -m tcp --dport 22 -j MARK --set-xmark 0x1/0xffffffff -A INPUT -m recent --rcheck --seconds 600 --name DEFAULT --rsource -j DROP -A INPUT -m mark --mark 0x1 -m recent --set --name DEFAULT --rsource -j DROP COMMIT # Completed on Mon Mar 29 12:04:05 2010 Should do what you're looking for... Rule 1: Check the hashlimit and if more than 3/min then mark the packets. Rule 2: Check the recent table to see if the address is in it and has been seen in the last 10 mins and drop if it has Rule 3: If the packet has been marked by rule 1 (actually could be combined with rule one just gets to a long line and a mess to explain) add the source address (the --set option of recent) and drop.