[Firehol-support] Re: Integrating ipt_recent with FireHOL
Carlos Rodrigues
carlos.efr at mail.telepac.pt
Thu Nov 10 02:34:02 GMT 2005
Harry Sufehmi wrote:
> Can anyone give any clue regarding this ? I'd be interested to utilize
> this as well. My server (and I believe many others) have been subjected
> to these brute-force attacks too.
My point was more about integrating this into the "FireHOL language"
than being able to do this from within firehol.conf, which is already
possible using the "iptables" helper (which acts just like an alias for
"/sbin/iptables").
So, you can add the following block of code to your firehol.conf,
somewhere before any "interface" or "router" blocks:
#--8<---------------------
# Block any address who tries to connect more than three times within
# 30 seconds. Unblock after it stops trying to connect for 30 seconds.
iptables -N block_abusers
iptables -A block_abusers -p tcp --dport ssh -m recent --set --name SSH
iptables -A block_abusers -p tcp --dport ssh -m recent \
--update --seconds 30 --hitcount 4 --name SSH -j DROP
# Filter traffic coming in to this machine
iptables -I INPUT 1 -i eth0 -m state --state NEW -j block_abusers
# Filter traffic passing through this machine
iptables -I FORWARD 1 -i eth0 -m state --state NEW -j block_abusers
#--8<---------------------
The jump to chain "block_abusers" is added as the first rule in the
INPUT and FORWARD chains, to avoid being affected or interfering with
FireHOL-generated rules.
You may want to REJECT abusers instead of DROPing them while testing.
Carlos Rodrigues
More information about the Firehol-support
mailing list