Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1007202
  • 博文数量: 442
  • 博客积分: 1146
  • 博客等级: 少尉
  • 技术积分: 1604
  • 用 户 组: 普通用户
  • 注册时间: 2010-11-04 12:52
个人简介

123

文章分类

全部博文(442)

文章存档

2017年(3)

2016年(15)

2015年(132)

2014年(52)

2013年(101)

2012年(110)

2011年(29)

分类: LINUX

2015-01-10 16:48:47

recent v1.2.11 options:
[!] --set                       Add source address to list, always matches.
[!] --rcheck                    Match if source address in list.
[!] --update                    Match if source address in list, also update last-seen time.
[!] --remove                    Match if source address in list, also removes that address from list.
    --seconds seconds           For check and update commands above.
                                Specifies that the match will only occur if source address last seen within
                                the last 'seconds' seconds.
    --hitcount hits             For check and update commands above.
                                Specifies that the match will only occur if source address seen hits times.
                                May be used in conjunction with the seconds option.
    --rttl                      For check and update commands above.
                                Specifies that the match will only occur if the source address and the TTL
                                match between this packet and the one which was set.
                                Useful if you have problems with people spoofing their source address in order
                                to DoS you via this module.
    --name name                 Name of the recent list to be used.  DEFAULT used if none given.
    --rsource                   Match/Save the source address of each packet in the recent list table (default).
    --rdest                     Match/Save the destination address of each packet in the recent list table.
ipt_recent v0.3.1: Stephen Frost .  

recent
       Allows you to dynamically create a list of IP addresses and then match against that list  in  a  few  different
       ways.

       For  example,  you  can create a `badguy' list out of people attempting to connect to port 139 on your firewall
       and then DROP all future packets from them without considering them.

       --name name
              Specify the list to use for the commands. If no name is given then 'DEFAULT' will be used.

       [!] --set
              This will add the source address of the packet to the list. If the source  address  is  already  in  the
              list,  this will update the existing entry. This will always return success (or failure if `!' is passed
              in).

       [!] --rcheck
              Check if the source address of the packet is currently in the list.

       [!] --update
              Like --rcheck, except it will update the "last seen" timestamp if it matches.

       [!] --remove
              Check if the source address of the packet is currently in the list  and  if  so  that  address  will  be
              removed from the list and the rule will return true. If the address is not found, false is returned.

       [!] --seconds seconds
              This  option  must  be used in conjunction with one of --rcheck or --update. When used, this will narrow
              the match to only happen when the address is in the list and was seen within the last  given  number  of
              seconds.

       [!] --hitcount hits
              This  option  must  be used in conjunction with one of --rcheck or --update. When used, this will narrow
              the match to only happen when the address is in the list and packets had been received greater  than  or
              equal  to the given value. This option may be used along with --seconds to create an even narrower match
              requiring a certain number of hits within a specific time frame.

       --rttl This option must be used in conjunction with one of --rcheck or --update. When used,  this  will  narrow
              the  match to only happen when the address is in the list and the TTL of the current packet matches that
              of the packet which hit the --set rule. This may be useful if you have problems with people faking their
              source  address in order to DoS you via this module by disallowing others access to your site by sending
              bogus packets to you.

解决具体问题:限制 ssh 猜密码,对每个 IP 允许三分钟内允许有 5 次 TCP 的 NEW 请求

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ROUTER-SSH --update --seconds 180 --hitcount 10 -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ROUTER-SSH --set -j ACCEPT
阅读(620) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~