-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2006-11-01 at 03:58 -0700, Wilson Mattos wrote:
You can definitely accomplish what you want with iptables. You have the right concept on how to do it, but your rules are not quite right.
Try this (and make sure that if you have other rules that these show up first, otherwise other rules you might have in the INPUT chain might be allowing the packets and iptables never gets to these rules):
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
That appears to be similar to what Bjorn Tore Sund posted here a year ago (<http://lists.suse.com/archive/suse-security/2005-Dec/0069.html>), as a set of rules to be included in "/etc/sysconfig/scripts/SuSEfirewall2-custom". I have them in fw_custom_before_antispoofing() - although I don't know if that is the best place: { iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT true } But what you propose, specially the second one, is more elaborate and interesting, and your explanation is enlightening. Could it be included in SuSEfirewall scripts somewhere? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFShhPtTMYHG2NR9URAu11AJ9dkgFVPG9pBdFquv9Mq8+gw1DTiwCeO6E+ zubmCm0t2oJIrgvAPl02p4s= =1gXJ -----END PGP SIGNATURE-----