Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah, if you know the TCP/IP networking stack and iptables well enough. For most people, they do not. That's why sysadmins exist ;-)

Otherwise, can iptables ban those who failed more than 10 SSH logins?



"Otherwise, can iptables ban those who failed more than 10 SSH logins?"

Yes, sort of, though it's not "more than 10", it's "drop packets that look suspiciously like an automated attack", which I think is actually cooler because it never outright bans anyone but it makes it impossible to run an effective brute force attack. You'd use the "--state NEW" option to determine whether the connection is a new one or an established one. If someone connects over and over again to ssh (or any login-able service, really) within a short time you can drop them. Rules would look something like this:

  iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP

  iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
Assuming, of course, that you're already accepting ESTABLISHED connections above those rules.

iptables is astonishingly powerful and flexible, and it's usually pretty easy to google up the right recipes, if you aren't quite sure of the incantations. It can be a little intimidating, but it more than repays you for the effort. When I did network consulting I was always surprised when I came upon a network where they had a Linux router, web server, mail server, etc., and then a Cisco PIX firewall sitting in front of it. Once again, it's just needless complexity, when the Linux box could do everything the PIX does (and possibly more, in the case of the low end PIX that I usually see).

Since you have professed iptables ignorance...are you sure CSF is doing anything sensible in your deployment? By that, I mean, do you have any idea what your firewall rules are actually doing and if they are effective for what you think they are effective for? I'm always a bit wary when I come upon a network where the people maintaining it have no idea what their systems are doing or how they work. While CSF may be a net positive, if the trend is toward avoiding knowledge, it's a dangerous direction to go in. I'm all for simplifying, and sometimes tools make things simpler. But, as I said, in my experience the "pile of shell" firewall scripts complexify things rather than simplify them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: