[Firehol-support] Integrating ipt_recent with FireHOL

Carlos Rodrigues carlos.efr at mail.telepac.pt
Sun Oct 30 19:17:40 GMT 2005


I've been trying to stop those pesky ssh-brute force attacks with these rules:

iptables -I INPUT 1 -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --set --name SSH
iptables -I INPUT 2 -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --update --seconds 15 --hitcount 4 --name SSH -j REJECT

This works just fine, blocking the attacker if he tries to connect
more than 3 times within 15 seconds, and only unblocking him if he
stops trying for another 15 seconds.

But I would like to integrate this a bit better with my FireHOL configuration.

The first thing I tried was to insert these rules (manually, from the
command line) at the beginning of the interface chain generated by
FireHOL (in_internet, as the interface is named "internet"), with the
following commands:

iptables -I in_internet 1 -p tcp --dport 22 -m state --state NEW -m
recent --set --name SSH
iptables -I in_internet 2 -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 15 --hitcount 4 --name SSH -j REJECT

But this doesn't work at all. All ssh connection attempts are rejected
right away.

I must confess that my low-level knowledge about iptables is limited,
but I'm not seeing why this causes the rejection of all ssh traffic.

The idea is to maybe try and build a helper function which could be
used inside an "interface" or "router" block. And if it tourned out
right, submit it to inclusion in the standard FireHOL.


Carlos Rodrigues

More information about the Firehol-support mailing list