Blocking SSH ... BUT...
Singer Wang
swang at cs.dal.ca
Wed Sep 19 19:07:40 UTC 2007
have higher up rules that allow you to do it :)
On Tue, Sep 18, 2007 at 11:53:24AM -0600, Ashley M. Kirchner (ashley at pcraft.com) wrote:
>
> Hey all,
>
> I have the following lines in my iptables config file to curb ssh
> knocking on our servers:
>
> # Let's see if we can curb SSH attacks.
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
> --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: "
>
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
> --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
>
>
> This works great...EXCEPT it also blocks our own access to the
> servers if we need to get on them in a short amount of time (less than
> 120 seconds). So how can I still implement the above blocking, but
> allow anything from our different subnets (we have 4) come through
> without going through that block routine?
>
> --
> W | It's not a bug - it's an undocumented feature.
> +--------------------------------------------------------------------
> Ashley M. Kirchner <mailto:ashley at pcraft.com> . 303.442.6410 x130
> IT Director / SysAdmin / Websmith . 800.441.3873 x130
> Photo Craft Imaging . 3550 Arapahoe Ave. #6
> http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
More information about the fedora-list
mailing list