[Firehol-support] Re: Integrating ipt_recent with FireHOL

Carlos Rodrigues carlos.efr at mail.telepac.pt
Thu Nov 10 02:34:02 GMT 2005

Harry Sufehmi wrote:
> Can anyone give any clue regarding this ? I'd be interested to utilize 
> this as well. My server (and I believe many others) have been subjected 
> to these brute-force attacks too.

My point was more about integrating this into the "FireHOL language" 
than being able to do this from within firehol.conf, which is already 
possible using the "iptables" helper (which acts just like an alias for 

So, you can add the following block of code to your firehol.conf, 
somewhere before any "interface" or "router" blocks:


# Block any address who tries to connect more than three times within
# 30 seconds. Unblock after it stops trying to connect for 30 seconds.

iptables -N block_abusers
iptables -A block_abusers -p tcp --dport ssh -m recent --set --name SSH
iptables -A block_abusers -p tcp --dport ssh -m recent \
	 --update --seconds 30 --hitcount 4 --name SSH -j DROP

# Filter traffic coming in to this machine
iptables -I INPUT 1 -i eth0 -m state --state NEW -j block_abusers

# Filter traffic passing through this machine
iptables -I FORWARD 1 -i eth0 -m state --state NEW -j block_abusers


The jump to chain "block_abusers" is added as the first rule in the 
INPUT and FORWARD chains, to avoid being affected or interfering with 
FireHOL-generated rules.

You may want to REJECT abusers instead of DROPing them while testing.

Carlos Rodrigues

More information about the Firehol-support mailing list