[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Flood blocking

On Fri, Jun 05, 2009 at 22:29:32 -0600,
  "Ashley M. Kirchner" <ashley pcraft com> wrote:
>    I currently have one system I'm testing the following rules on:
>    iptables -N SSHSCAN
>    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
>    iptables -A SSHSCAN -m recent --set --name SSH
>    iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 2  
> --name SSH -j DROP
>    And just by watching it for the past few days, those rules seem to  
> work pretty well.  So, it made me wonder, can I apply the same rules for  
> FTP and e-mail (with the correct port information of course.)

I don't think it will work well for email. (I think list servers and other
servers that send you a lot of email will tend to get blocked.) Besides, if
your purpose is to stop password guessing attacks, there isn't much point in
blocking email that way. If you want to try to use it to help mitigate
spam, you'd probably be better off using grey listing to do this kind of

>    I get *a lot* of failed FTP attempts.  Especially when the sun comes  
> up in Asia.  And then there's the e-mail spam that also doesn't stop.   
> So, can I take those same set of rules above, replace the port number  
> and name, and have them work for FTP and e-mail as well?

Do you run an authenticated ftp server? If you just use ssh based file
transfers and/or anonymous ftp, then there probably isn't much point to
doing this.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]