Re: blocking brute force attempts using iptables

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Stephen Vaughan a écrit :
> I have a ruleset which works for blocking brute force attempts on port 21,
> but I'm not sure how to open port 21 without exluding the rules, ie:
>
> # default
> $IPTABLES -P INPUT DROP
>
> # when this rule is enabled it doesn't go any further since it's a match, so
> how do I get it to allow the port to be open, but also run through the brute
> force tables?
> $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
>
> $IPTABLES -N FTP2
> $IPTABLES -N FTPBF
> $IPTABLES -N FTPNEW
> $IPTABLES -A FTP2 -p tcp -m tcp --dport 21 -m state --state NEW -j FTPNEW
> $IPTABLES -A FTP2 -m recent --set --name FTPBLOCK --rsource
> $IPTABLES -A FTP2 -j LOG --log-prefix "FTP BRUTE FORCE: " --log-level 6
> $IPTABLES -A FTP2 -j DROP
> $IPTABLES -A FTPBF -p tcp -m tcp --dport 21 -j DROP
> $IPTABLES -A FTPNEW -m recent --rcheck --name FTPBLOCK --rsource -j FTPBF
> $IPTABLES -A FTPNEW -m recent --set --name FTP --rsource
> $IPTABLES -A FTPNEW -m recent --update --seconds 120 --hitcount 6 --name FTP
> --rsource -j FTP2

You are not giving us the full picture. How are these chains called ?

[Be aware that the 'recent' match can be circumvented or abused to cause 
a DoS. You might consider using tools based on authentication failure 
such as fail2ban instead.]