Flood blocking

Kevin O'Neil kevin at kevinslair.com
Sat Jun 6 23:03:09 UTC 2009


On Fri, 2009-06-05 at 22:29 -0600, Ashley M. Kirchner wrote:
> I currently have one system I'm testing the following rules on:
> 
>     iptables -N SSHSCAN
>     iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
>     iptables -A SSHSCAN -m recent --set --name SSH
>     iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 2 
> --name SSH -j DROP
> 
> 
>     And just by watching it for the past few days, those rules seem to 
> work pretty well.  So, it made me wonder, can I apply the same rules for 
> FTP and e-mail (with the correct port information of course.)
> 
>     I get *a lot* of failed FTP attempts.  Especially when the sun comes 
> up in Asia.  And then there's the e-mail spam that also doesn't stop.  
> So, can I take those same set of rules above, replace the port number 
> and name, and have them work for FTP and e-mail as well?
> 
>     Am I overlooking something really obvious?
> 

I downloaded and use fail2ban for email, ftp, ssh and others, it works
fairly well and is customizable using your /var/log/secure
and /var/log/maillog as well as the ftp log to automatically ban people
with iptables. If you do get it, you can ban them in seconds, but if you
use -1 it will permanently ban them.
Thanks,
Kevin




More information about the fedora-list mailing list