[Firehol-support] Re: Integrating ipt_recent with FireHOL

Costa Tsaousis costa at tsaousis.gr
Fri Nov 11 23:00:45 GMT 2005

In v1.240 (get it from http://firehol.sf.net/firehol.tar.gz) you now can:

server smtp accept with recent NAME SECONDS HITS


server smtp accept with recent SMTP 30 5

will allow only 4 (5-1) NEW connections every 30 seconds.
The overflow connections will be treated as if the "server smtp accept" 
was not there... (i.e. logged and dropped at the end of the interface, 
or the end of the firewall for routers)

You can disable SECONDS or HITS by giving an empty argument:

server smtp accept with recent SMTP "" 5


server smtp accept with recent SMTP 30 ""

Do you believe we should also add a "recent" protection, so that one can 
limit the rate of connections per interface and router for all the 
services together, or even a "recent" helper so that one can limit the 
rate of connections globally for the whole of the firewall?


Carlos Rodrigues wrote:

> Harry Sufehmi wrote:
>> Can anyone give any clue regarding this ? I'd be interested to 
>> utilize this as well. My server (and I believe many others) have been 
>> subjected to these brute-force attacks too.
> My point was more about integrating this into the "FireHOL language" 
> than being able to do this from within firehol.conf, which is already 
> possible using the "iptables" helper (which acts just like an alias 
> for "/sbin/iptables").
> So, you can add the following block of code to your firehol.conf, 
> somewhere before any "interface" or "router" blocks:
> #--8<---------------------
> # Block any address who tries to connect more than three times within
> # 30 seconds. Unblock after it stops trying to connect for 30 seconds.
> iptables -N block_abusers
> iptables -A block_abusers -p tcp --dport ssh -m recent --set --name SSH
> iptables -A block_abusers -p tcp --dport ssh -m recent \
>      --update --seconds 30 --hitcount 4 --name SSH -j DROP
> # Filter traffic coming in to this machine
> iptables -I INPUT 1 -i eth0 -m state --state NEW -j block_abusers
> # Filter traffic passing through this machine
> iptables -I FORWARD 1 -i eth0 -m state --state NEW -j block_abusers
> #--8<---------------------
> The jump to chain "block_abusers" is added as the first rule in the 
> INPUT and FORWARD chains, to avoid being affected or interfering with 
> FireHOL-generated rules.
> You may want to REJECT abusers instead of DROPing them while testing.
> Carlos Rodrigues
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. 
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

More information about the Firehol-support mailing list