[PLUG] TCP Wrappers and IPs
Carla Schroder
carla at bratgrrl.com
Tue Feb 21 21:36:39 UTC 2006
On Tuesday 21 February 2006 11:49, Roderick A. Anderson wrote:
> Paul Mullen wrote:
> > On Tue, Feb 21, 2006 at 07:58:58AM -0800, Ed Sawicki wrote:
> >>A far easier solution is to move ssh to a non-standard port.
> >
> > That doesn't help when you're behind a firewall that blocks any
> > non-standard ports.
But aren't you the boss of the firewall, since you're creating these rules?
Anyway, your iptables hack is very excellent.
> >
> > I just recently began using a nifty iptables trick that limits the
> > rate of new incoming SSH connections (three/minute in this case):
>
> Very nice. Question ( as I'm an iptables neophite ) is this total
> connections or per connecting IP? Say 5 people, that should be
> connecting, try in the same one minute period. Do they all get in if
> they make the connection in the first try?
>
> Terrible phrasing and terminology ... I know. Hopefully it gets my
> question across.
It does not discriminate on the basis of source address. It simply
rate-limits the number of new connections per minute from anywhere. So if
your limit is 4/minute, and 5 people try to connect, the last one will be
blocked, and will have to wait. OpenSSH keeps trying
> iptables -N SSH_LIMIT
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_LIMIT
> iptables -A SSH_LIMIT -m state --state NEW -m recent --set --name SSH
> iptables -A SSH_LIMIT -m state --state NEW -m recent --update --seconds 60
--hitcount 4 --name SSH
> iptables -A SSH_LIMIT -m state --state NEW -m recent --rcheck --seconds 60
--hitcount 4 --name SSH -j DROP
You might want to create an allow rule if you log in from the same remote
address a lot. Something like this that puts no restrictions on SSH traffic
from a particular address:
iptables -A INPUT -p tcp -s 12.34.56.78 --dport 22 –sport 1024:65535 -m state
--state NEW -j ACCEPT
Put this rule way high up in your script, to come before any other rules. This
example restricts the source ports because anything coming from a privileged
port is probably trouble, like from a compromised host using a spoofed IP.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
check out my "Linux Cookbook", the ultimate Linux user's
and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the PLUG
mailing list