Flood blocking
Bruno Wolff III
bruno at wolff.to
Sat Jun 6 16:58:19 UTC 2009
On Fri, Jun 05, 2009 at 22:29:32 -0600,
"Ashley M. Kirchner" <ashley at pcraft.com> wrote:
>
> I currently have one system I'm testing the following rules on:
>
> iptables -N SSHSCAN
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
> iptables -A SSHSCAN -m recent --set --name SSH
> iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 2
> --name SSH -j DROP
>
>
> And just by watching it for the past few days, those rules seem to
> work pretty well. So, it made me wonder, can I apply the same rules for
> FTP and e-mail (with the correct port information of course.)
I don't think it will work well for email. (I think list servers and other
servers that send you a lot of email will tend to get blocked.) Besides, if
your purpose is to stop password guessing attacks, there isn't much point in
blocking email that way. If you want to try to use it to help mitigate
spam, you'd probably be better off using grey listing to do this kind of
thing.
> I get *a lot* of failed FTP attempts. Especially when the sun comes
> up in Asia. And then there's the e-mail spam that also doesn't stop.
> So, can I take those same set of rules above, replace the port number
> and name, and have them work for FTP and e-mail as well?
Do you run an authenticated ftp server? If you just use ssh based file
transfers and/or anonymous ftp, then there probably isn't much point to
doing this.
More information about the fedora-list
mailing list