[Firehol-support] Re: Integrating ipt_recent with FireHOL
Costa Tsaousis
costa at tsaousis.gr
Fri Nov 11 23:00:45 GMT 2005
In v1.240 (get it from http://firehol.sf.net/firehol.tar.gz) you now can:
server smtp accept with recent NAME SECONDS HITS
Example:
server smtp accept with recent SMTP 30 5
will allow only 4 (5-1) NEW connections every 30 seconds.
The overflow connections will be treated as if the "server smtp accept"
was not there... (i.e. logged and dropped at the end of the interface,
or the end of the firewall for routers)
You can disable SECONDS or HITS by giving an empty argument:
server smtp accept with recent SMTP "" 5
or
server smtp accept with recent SMTP 30 ""
Do you believe we should also add a "recent" protection, so that one can
limit the rate of connections per interface and router for all the
services together, or even a "recent" helper so that one can limit the
rate of connections globally for the whole of the firewall?
Costa
Carlos Rodrigues wrote:
> Harry Sufehmi wrote:
>
>> Can anyone give any clue regarding this ? I'd be interested to
>> utilize this as well. My server (and I believe many others) have been
>> subjected to these brute-force attacks too.
>
>
> My point was more about integrating this into the "FireHOL language"
> than being able to do this from within firehol.conf, which is already
> possible using the "iptables" helper (which acts just like an alias
> for "/sbin/iptables").
>
> So, you can add the following block of code to your firehol.conf,
> somewhere before any "interface" or "router" blocks:
>
> #--8<---------------------
>
> # Block any address who tries to connect more than three times within
> # 30 seconds. Unblock after it stops trying to connect for 30 seconds.
>
> iptables -N block_abusers
> iptables -A block_abusers -p tcp --dport ssh -m recent --set --name SSH
> iptables -A block_abusers -p tcp --dport ssh -m recent \
> --update --seconds 30 --hitcount 4 --name SSH -j DROP
>
> # Filter traffic coming in to this machine
> iptables -I INPUT 1 -i eth0 -m state --state NEW -j block_abusers
>
> # Filter traffic passing through this machine
> iptables -I FORWARD 1 -i eth0 -m state --state NEW -j block_abusers
>
> #--8<---------------------
>
> The jump to chain "block_abusers" is added as the first rule in the
> INPUT and FORWARD chains, to avoid being affected or interfering with
> FireHOL-generated rules.
>
> You may want to REJECT abusers instead of DROPing them while testing.
>
> Carlos Rodrigues
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
More information about the Firehol-support
mailing list