Migrating from BSD to Centos.
In BSD, there is a pf.conf packet filering command called 'max-src-conn'
And, with it, the firewall/packet filer counts the max failed attempts of an ip to ssh, or other defined proto. And, author can establish a rule that after X fails in a session, the ip is logged to (brutes) table, which then blocks the ip thereafter.
I've looked at faq, forums, blogs and tutorials on iptables and cannot find the equivalent command. it seems the common recommendation is snort or fail2ban to accomplish this.
thoughts?
iptables - limit failed log in attempt by ip
-
- Posts: 14
- Joined: 2015/02/01 01:40:52
Re: iptables - limit failed log in attempt by ip
You can also set up iptables to do something similar using the -m recent module.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 14
- Joined: 2015/02/01 01:40:52
Re: iptables - limit failed log in attempt by ip
I found this and it is very similar to packet filtering method in BSD.
## Permit SSH port and prevent bruteforce by allowing 3 ssh attempt in a minute
#
$IPTABLES -A INPUT -p tcp --dport ${SSH_PORT} -m state --state NEW -j LOG --log-prefix "SSH Log:"
$IPTABLES -A INPUT -t filter -p tcp --dport ${SSH_PORT} -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport ${SSH_PORT} -m state --state NEW -m recent --set --name DEFAULT --rsource
$IPTABLES -A INPUT -p tcp --dport ${SSH_PORT} -m state --state NEW -m recent --update --seconds 60 --hit count 4 --name DEFAULT --rsource -j DROP
## Permit SSH port and prevent bruteforce by allowing 3 ssh attempt in a minute
#
$IPTABLES -A INPUT -p tcp --dport ${SSH_PORT} -m state --state NEW -j LOG --log-prefix "SSH Log:"
$IPTABLES -A INPUT -t filter -p tcp --dport ${SSH_PORT} -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport ${SSH_PORT} -m state --state NEW -m recent --set --name DEFAULT --rsource
$IPTABLES -A INPUT -p tcp --dport ${SSH_PORT} -m state --state NEW -m recent --update --seconds 60 --hit count 4 --name DEFAULT --rsource -j DROP