Created
January 29, 2013 07:19
-
-
Save Temikus/4662428 to your computer and use it in GitHub Desktop.
This iptables snippet opens port 22 globally for up to 8 unique connections on that port within the same 3-minute window per source IP, whereupon that source IP is blocked for 10 minutes. Successful or 'tripped' connections are logged. All done purely in-firewall (uses ipset)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ipset -exist create blackhole hash:ip timeout 600 | |
| -A INPUT -m set --match-set blackhole src -j DROP | |
| -A INPUT -p tcp -m tcp --dport 22 -j SSH-ALL | |
| -A SSH-ALL -p tcp -m recent --set --name SSH --rsource | |
| -A SSH-ALL -p tcp -m recent --update --seconds 180 --hitcount 8 --name SSH --rsource -j SSH-BLOCKED | |
| -A SSH-ALL -p tcp -j ULOG --ulog-nlgroup 1 --log-prefix "Accepted-ssh Event: " | |
| -A SSH-ALL -p tcp -j ACCEPT | |
| -A SSH-BLOCKED -p tcp -j ULOG --ulog-nlgroup 1 --log-prefix "Blocked-ssh Event: " | |
| -A SSH-BLOCKED -p tcp -j SET --add-set blackhole src | |
| -A SSH-BLOCKED -p tcp -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment