[Firehol-support] Re: Integrating ipt_recent with FireHOL

Rick Marshall rjm at zenucom.com
Fri Nov 11 23:46:27 GMT 2005


really need the option to not log the overflow connections - it's the 
0.5MB email i get every day from the log files that i want to reduce.

and i've noticed that the ssh username lists used to attack servers is 
getting very long now.

rick

Costa Tsaousis wrote:

> In v1.240 (get it from http://firehol.sf.net/firehol.tar.gz) you now can:
>
> server smtp accept with recent NAME SECONDS HITS
>
> Example:
>
> server smtp accept with recent SMTP 30 5
>
> will allow only 4 (5-1) NEW connections every 30 seconds.
> The overflow connections will be treated as if the "server smtp 
> accept" was not there... (i.e. logged and dropped at the end of the 
> interface, or the end of the firewall for routers)
>
> You can disable SECONDS or HITS by giving an empty argument:
>
> server smtp accept with recent SMTP "" 5
>
> or
>
> server smtp accept with recent SMTP 30 ""
>
> Do you believe we should also add a "recent" protection, so that one 
> can limit the rate of connections per interface and router for all the 
> services together, or even a "recent" helper so that one can limit the 
> rate of connections globally for the whole of the firewall?
>
> Costa
>
> Carlos Rodrigues wrote:
>
>> Harry Sufehmi wrote:
>>
>>> Can anyone give any clue regarding this ? I'd be interested to 
>>> utilize this as well. My server (and I believe many others) have 
>>> been subjected to these brute-force attacks too.
>>
>>
>>
>> My point was more about integrating this into the "FireHOL language" 
>> than being able to do this from within firehol.conf, which is already 
>> possible using the "iptables" helper (which acts just like an alias 
>> for "/sbin/iptables").
>>
>> So, you can add the following block of code to your firehol.conf, 
>> somewhere before any "interface" or "router" blocks:
>>
>> #--8<---------------------
>>
>> # Block any address who tries to connect more than three times within
>> # 30 seconds. Unblock after it stops trying to connect for 30 seconds.
>>
>> iptables -N block_abusers
>> iptables -A block_abusers -p tcp --dport ssh -m recent --set --name SSH
>> iptables -A block_abusers -p tcp --dport ssh -m recent \
>>      --update --seconds 30 --hitcount 4 --name SSH -j DROP
>>
>> # Filter traffic coming in to this machine
>> iptables -I INPUT 1 -i eth0 -m state --state NEW -j block_abusers
>>
>> # Filter traffic passing through this machine
>> iptables -I FORWARD 1 -i eth0 -m state --state NEW -j block_abusers
>>
>> #--8<---------------------
>>
>> The jump to chain "block_abusers" is added as the first rule in the 
>> INPUT and FORWARD chains, to avoid being affected or interfering with 
>> FireHOL-generated rules.
>>
>> You may want to REJECT abusers instead of DROPing them while testing.
>>
>> Carlos Rodrigues
>>
>>
>> -------------------------------------------------------
>> SF.Net email is sponsored by:
>> Tame your development challenges with Apache's Geronimo App Server. 
>> Download
>> it for free - -and be entered to win a 42" plasma tv or your very own
>> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. 
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
> !DSPAM:4375228741991585512329!
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rjm.vcf
Type: text/x-vcard
Size: 146 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20051112/a1e9c53f/attachment-0003.vcf>


More information about the Firehol-support mailing list