[Firehol-support] Integrating ipt_recent with FireHOL

Carlos Rodrigues carlos.efr at mail.telepac.pt
Sun Oct 30 19:17:40 GMT 2005


Hi!

I've been trying to stop those pesky ssh-brute force attacks with these rules:

iptables -I INPUT 1 -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --set --name SSH
iptables -I INPUT 2 -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --update --seconds 15 --hitcount 4 --name SSH -j REJECT

This works just fine, blocking the attacker if he tries to connect
more than 3 times within 15 seconds, and only unblocking him if he
stops trying for another 15 seconds.

But I would like to integrate this a bit better with my FireHOL configuration.

The first thing I tried was to insert these rules (manually, from the
command line) at the beginning of the interface chain generated by
FireHOL (in_internet, as the interface is named "internet"), with the
following commands:

iptables -I in_internet 1 -p tcp --dport 22 -m state --state NEW -m
recent --set --name SSH
iptables -I in_internet 2 -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 15 --hitcount 4 --name SSH -j REJECT

But this doesn't work at all. All ssh connection attempts are rejected
right away.

I must confess that my low-level knowledge about iptables is limited,
but I'm not seeing why this causes the rejection of all ssh traffic.

The idea is to maybe try and build a helper function which could be
used inside an "interface" or "router" block. And if it tourned out
right, submit it to inclusion in the standard FireHOL.

  Thanks

--
Carlos Rodrigues




More information about the Firehol-support mailing list