Re: DenyHosts
Hi.
On Sat, 16 Jan 2016 07:35:54 -0500
Steve Matzura <number6@noisynotes.com> wrote:
> >But with conjunction with the previous one it implements the following
> >policy:
> >
> >- anyone can connect up to 16 times via ssh.
> >- anyone exceeding the connection limit is tarpitted, and must wait
> >for an hour to try again.
>
> That seems more than fair. Nobody using the system correctly should
> ever break this rule under normal circumstances and/or conditions.
Indeed. That's why I use exactly these rules for my hosts ;)
> >> How do these commands function to lock out specific addresses or
> >> address ranges?
> >
> >The current implementation works with single source IPs.
> >Modifying the rules to work with IP ranges is an exercise left for the
> >reader :)
>
> By "the current implementation," do you mean before or after I used
> the commands you gave? There is nothing in either of these two
> complex-side command sets that specify a single address.
I meant these two netfilter rules.
There's no need to specify nor source nor destination IPs in these
rules, the whole idea of these rules is to apply to anyone.
It's sufficient to store a hash of a source IP from previous connection
attempts as it's used for counting them.
It's possible to limit this policy to a single IP (or a subnet in this
example):
iptables -I INPUT -p tcp --dport 22 -s 59.46.71.0/24 \
-m conntrack --ctstate NEW \
-m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
--hashlimit-mode srcip --hashlimit-name ssh \
--hashlimit-htable-expire 60000 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -s 59.46.71.0/24 \
--tcp-flags SYN,RST,ACK SYN -j DROP
But then again - why bother? This set of rules should not interfere
with normal user activity anyway.
Reco
Reply to: