I don't follow... that is not my entire ruleset, but everything for the brute force is there..
On Fri, Oct 17, 2008 at 8:21 PM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
Hello,
Stephen Vaughan a écrit :
I have a ruleset which works for blocking brute force attempts on port 21,
but I'm not sure how to open port 21 without exluding the rules, ie:
# default
$IPTABLES -P INPUT DROP
# when this rule is enabled it doesn't go any further since it's a match, so
how do I get it to allow the port to be open, but also run through the brute
force tables?
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -N FTP2
$IPTABLES -N FTPBF
$IPTABLES -N FTPNEW
$IPTABLES -A FTP2 -p tcp -m tcp --dport 21 -m state --state NEW -j FTPNEW
$IPTABLES -A FTP2 -m recent --set --name FTPBLOCK --rsource
$IPTABLES -A FTP2 -j LOG --log-prefix "FTP BRUTE FORCE: " --log-level 6
$IPTABLES -A FTP2 -j DROP
$IPTABLES -A FTPBF -p tcp -m tcp --dport 21 -j DROP
$IPTABLES -A FTPNEW -m recent --rcheck --name FTPBLOCK --rsource -j FTPBF
$IPTABLES -A FTPNEW -m recent --set --name FTP --rsource
$IPTABLES -A FTPNEW -m recent --update --seconds 120 --hitcount 6 --name FTP
--rsource -j FTP2
[Be aware that the 'recent' match can be circumvented or abused to cause a DoS. You might consider using tools based on authentication failure such as fail2ban instead.]
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Best Regards,
Stephen