Reply to IP Banning for Multiple Attempts (Attacks) on Firewall? on Mon, 03 Apr 2006 11:01:53 GMT

usk — Mon, 03 Apr 2006 11:01:53 GMT

I have added this on my web server to limit the SSH brute force attacks, and it works quite well.

But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses ;)

What it does is that it logs and blocks the third attempt and it just blocks the 4.+ to avoid my logs are flodded.

iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

Reply to IP Banning for Multiple Attempts (Attacks) on Firewall? on Fri, 03 Mar 2006 19:58:35 GMT

hoba — Fri, 03 Mar 2006 19:58:35 GMT

That's a possible package request. You might want to add it to this thread: http://forum.pfsense.org/index.php?topic=6.0