[ previous ] [ next ] [ threads ]
 From:  Andrew Hull <list at racc2000 dot com>
 To:  Mono Wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Block 300 IP's
 Date:  Mon, 12 Jan 2009 10:11:17 -0500
> 3. Limit connections
> You can also limit the number of SYN (connection establishment) 
> packets.  This should be unnoticed by legitimate users, but it will 
> delay an attacker that is making repeated connections.  If you wanted to 
> limit the rate to 3 per minute and were using port 2000:
> iptables -A INPUT -p tcp -dport 2000 -syn -m limit -limit 1/m 
> -limit-burst 3 -j ACCEPT
> iptables -A INPUT -p tcp -dport 2000 -syn -j DROP
> (If you need other firewall commands, let me know.  I'm just looking on 
> a local box here that's running iptables. :))

I know this is an old thread, but I wanted to comment on Ryan's 
suggestion here.

I used to use the LIMIT module to do exactly this, but I switched to the 
RECENT module.

The main reason for doing so (as they serve almost identical purpose and 
function) is that RECENT is included in the stock CentOS5 kernel and 
LIMIT is not.

I'm not scared of installing kernel-mods and what not, I just think 
simpler is better. This is a perfect opportunity to incorrectly cite
Occam's Razor.

I prefer to modify my servers at little as possible to get the job done 
-- ruling out options one and four. Also, as this is just a firewall 
rule, I use it to protect more then just SSH; it can be crafted to 
protect any service. I use it to protect FTP on my web servers where 
option two fails due to the simple-user problem.

Anyway, the RECENT module rocks. That is all I have to say.


-A FTP_CHECK -m recent  --set --name FTP --rsource
-A FTP_CHECK -m recent -j LOG  --log-prefix "FTP Drop " --update 
--seconds 60 --hitcount 5 --name FTP --rsource
-A FTP_CHECK -m recent -j DROP  --update --seconds 60 --hitcount 5 
--name FTP --rsource