SSH rate limit per IP. New method, SSH rate connect limiting per IP.
Ok, we have a new method of rate limiting.
This new method is WAYYY better.
the
old -m limit method limits per packet per port.. if you have someone
flooding your ssh connetion, it'll actually disable the service all
around, causing YOU not to be able to get on. not really the effect you
wanted.
This new method, actually bases its rate limit on a per IP basis.
So if you are getting flooded from 1 ip specifically, only that 1 ip will be locked down.
Everyone else will be able to get on still. as long as they stay within the connection limit itself.
I'll be honest. *I* didnt figure this out. i found it on a url
It does work, as a few linux-noob'ers helped me test it successfully.
-----------
The
way the recent module works is fairly straightforward, you basically
add IP addresses to a list, which can then be used in the future to
test connection attempts against. This allows you to limit the number
of connections against either a number of seconds, or connection
attempts. In our example we'll do both.
An example is probably
the simplest way to illustrate how it works. The following two rules
will limit incoming connections to port 22 to no more than 3 attemps in
a minute - an more than that will be dropped:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
The
--state flag takes a comma seperated list of connection states as an
argument, by using "--state NEW" as we did we make sure that only new
connections are managed by the module.
The --set parameter in
the first line will make sure that the IP address of the host which
initiated the connection will be added to the "recent list", where it
can be tested and used again in the future i.e. in our second rule.
The
second rule is where the magic actually happens. The --update flag
tests whether the IP address is in the list of recent connections, in
our case each new connection on port 22 will be in the list because we
used the --set flag to add it in the preceeding rule.
Once
that's done the --seconds flag is used to make sure that the IP address
is only going to match if the last connection was within the timeframe
given. The --hitcount flag works in a similar way - matching only if
the given count of connection attempts is greater than or equal to the
number given.
Together the second line will DROP an incoming connection if:
* The IP address which initiated the connection has previously been added to the list and
* The IP address has sent a packet in the past 60 seconds and
* The IP address has sent more than 4 packets in total.
You
can adjust the numbers yourself to limit connections further, so the
following example will drop incoming connections which make more than 2
connection attempts upon port 22 within ten minutes:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 600 --hitcount 2 -j DROP
If you wish to test these rules you can script a number of connection attempts from an external host with the netcat package.
The
following script attempts to connect to the IP address 192.168.1.1 5
times. The first couple of attempts you should see a welcome banner
such as "SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4" - after that the
script will hang as it's packets are dropped and no response is sent:
#!/bin/bash
for i in `seq 1 5` ; do
echo 'exit' | nc 192.168.1.1 22 ;
done
There's
a lot of documentation on the netfilter/iptables firewall, and it's
available modules which you can find in the Netfilter Extension HOWTO.
This
HOWTO contains documentation on many different modules, along with
examples. A recommended read if you're interested in Linux firewalling.
If
you wish to experiment with rules and testing it's worth remembering
how to remove all active rules. The following commands will flush your
iptables filewall, and remove all currently active rules:
iptables -F
iptables -X
阅读(4837) | 评论(1) | 转发(0) |