Flood blocking
Kevin O'Neil
kevin at kevinslair.com
Sat Jun 6 23:03:09 UTC 2009
On Fri, 2009-06-05 at 22:29 -0600, Ashley M. Kirchner wrote:
> I currently have one system I'm testing the following rules on:
>
> iptables -N SSHSCAN
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
> iptables -A SSHSCAN -m recent --set --name SSH
> iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 2
> --name SSH -j DROP
>
>
> And just by watching it for the past few days, those rules seem to
> work pretty well. So, it made me wonder, can I apply the same rules for
> FTP and e-mail (with the correct port information of course.)
>
> I get *a lot* of failed FTP attempts. Especially when the sun comes
> up in Asia. And then there's the e-mail spam that also doesn't stop.
> So, can I take those same set of rules above, replace the port number
> and name, and have them work for FTP and e-mail as well?
>
> Am I overlooking something really obvious?
>
I downloaded and use fail2ban for email, ftp, ssh and others, it works
fairly well and is customizable using your /var/log/secure
and /var/log/maillog as well as the ftp log to automatically ban people
with iptables. If you do get it, you can ban them in seconds, but if you
use -1 it will permanently ban them.
Thanks,
Kevin
More information about the fedora-list
mailing list