Blocking SSH ... BUT...
Mike Wright
mike.wright at mailinator.com
Tue Sep 18 18:19:23 UTC 2007
Ashley M. Kirchner wrote:
>
> Hey all,
>
> I have the following lines in my iptables config file to curb ssh
> knocking on our servers:
>
> # Let's see if we can curb SSH attacks.
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
> --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: "
>
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
> --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
>
>
> This works great...EXCEPT it also blocks our own access to the
> servers if we need to get on them in a short amount of time (less than
> 120 seconds). So how can I still implement the above blocking, but
> allow anything from our different subnets (we have 4) come through
> without going through that block routine?
>
Allow your subnets before the above rules. Here's a sample rule:
-A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
# subnet ^^^^^^^^^^^
You'd need one rule for each subnet.
hth
More information about the fedora-list
mailing list