SSHD_config question
John L Fjellstad
john-ubuntu at fjellstad.org
Thu Aug 14 21:05:17 UTC 2008
Smoot Carl-Mitchell <smoot at tic.com> writes:
> You can do similar rate limiting with iptables on Linux systems.
> Something like:
>
> iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
> iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
You want to do it in the opposite order.
The way you wrote it, a package will match in the first rule, and be
added to the 'recent' table.
It will then match the second rule, and be timestamp will be updated.
System will notice that the ip address was match very recently, so the
--seconds won't count. The hitcount will be 5 instead of 10 as
specified (since one package will match both rules).
If you do the --update before --set, then if the source has never been
seen before, the --update rule won't match, but the --set rule will
match. On the second and subsequent access try, the --update rule will
match
--
John L. Fjellstad
web: http://www.fjellstad.org/ Quis custodiet ipsos custodes
More information about the ubuntu-users
mailing list