From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <yarvin@yarchive.net>
Received: from nm16-vm7.access.bullet.mail.bf1.yahoo.com
	(nm16-vm7.access.bullet.mail.bf1.yahoo.com [216.109.115.54])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 1DAC921F1D4
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sat, 22 Mar 2014 13:04:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
	t=1395518665; bh=FfgzY9j+6hij246csy3f/lqvG3Oo9LfwHvmL71fW160=;
	h=Received:Received:Received:X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent;
	b=S2rFWrbVDBzds0LnRwnuexWaMZomwG5HFY4sNudF7rRGn15Qc3fg0ESYJJAo9cn7Ovf4swizub57gEf1U1XKOoUQ/A83CJkHLfYWDGZZrnZmxbPH63BuddMzdDIHrCj3pKl63oXjQ3Fn5y4bh1NZoRz4GWfgg4c5/dlrRhBoHXIo/QuMk6O+3XzQ9bCZLD8AP2TUeNziK/HdYDypBG0vr/LHVqoWDNIDsNW0CKSsek3CbQRFl3WcLNLnu8CGVQ4vs6cPWjuOWbwbtktp5o3qKsDQ+ftw+ksv/YA05DM97RobhmqLzQKtZOLj7dKJG3F4VmRnkKwzLP2njH2rdpEpUA==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com;
	b=Hz/DLJ/mgm8L5IGYmALJbRgcjEBMJ29LC2o60IoIXL+GtdITNjJRG0/oCgJGEnoGLKY1nevk8DPCMBmp0WVN0j300ph1JcWTp2ZR05Zu5L3CTpQCZID+7iwq5MqUcLt6MBEYWV9vBBPKy+Qc7PiK7E2EkGDt8bky3j5TKLARt679iyJfxYf/kzLdN4ayr1Pc6oSWU57gbR5GmhmL9thlm8XEw+yPIgrNAf93mz0NM5Eg0IoUTBj64gJ+1lQMLOgXCFYUjao/dr5syraT9dzppQDhrdc85+/67uM+MQkRVZacKVkU2WlJlsBs1ZR1ElJSnaM880z2fNdTRTLIeqxZoQ==;
Received: from [66.196.81.155] by nm16.access.bullet.mail.bf1.yahoo.com with
	NNFMP; 22 Mar 2014 20:04:25 -0000
Received: from [98.139.221.250] by tm1.access.bullet.mail.bf1.yahoo.com with
	NNFMP; 22 Mar 2014 20:04:25 -0000
Received: from [127.0.0.1] by smtp120.sbc.mail.bf1.yahoo.com with NNFMP;
	22 Mar 2014 20:04:25 -0000
X-Yahoo-Newman-Id: 941124.6386.bm@smtp120.sbc.mail.bf1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: zyt.B_wVM1klOpy..7Djj.D7T3cmPpHKUM6OGnZmAQ9oVxU
	z885VTBkRssdIOLAOjCkdmZ7plvI0FgbQ33ipeyoKx5tD3trOpeRagdwENw_
	UJtdXX.NX8MLyToOsggzP2.x.66CgiVPGlDsqr9UC7Dd0bcF8DacesW287K2
	r_dk6YJkiZpst384cSMO_RcZ.UfO8gQFUoUiOxG7o8XNswDe5D4amQYhohb.
	pf1mtxerTyjFEzWYvbtE3ePvgyTgqPef8aTPuYPRgSKxJtp9S4UYtcuPomeJ
	h5oy3xvGtx5D34uu4h.EfB0fNFkGY4TTXtS5EsEkMmYSFSg_GPbOrRJhKuLf
	nlkG0An9IpJm56FqxbzRSLFpME9UYfnU7BLJ5N4MagermV_UTVYNV8xFuZjQ
	OE2.NWunc9cW78irhGKyao_xEMWriwigylMnVZX_.bmGwZeMZdo3Dpl_QWmE
	pGm4uHpXVn4Qxm6bszE3dXurTJUSMCqNEPjB6IM9OjUClrfidxUG8RBupyfx
	eP73cDEmP_zeIEeOYgW9.vENDJw.FaRApxC__WIvhi6ccEPWxzAKfPuwAgtV
	ohEkLpbLBAAIvLmVex07AltacraNW4TOOjotAluPRGaZmuI2L.Q--
X-Yahoo-SMTP: jrkS4HqswBAegmaogOsp98ZrokEa9syEi10I30caBehdMEM-
X-Rocket-Received: from muttonhead.home.lan (yarvin@24.136.196.173 with plain
	[98.139.221.42])
	by smtp120.sbc.mail.bf1.yahoo.com with SMTP;
	22 Mar 2014 20:04:25 +0000 UTC
Date: Sat, 22 Mar 2014 16:04:24 -0400
From: Norman Yarvin <yarvin@yarchive.net>
To: Dave Taht <dave.taht@gmail.com>
Message-ID: <20140322200424.GA11911@muttonhead.home.lan>
References: <87txataord.fsf@toke.dk>
	<CAA93jw5o4sqykTXmGa1OB1gtwVn83g13Gs9TQ1LRPKWn7r7gUA@mail.gmail.com>
	<a67be057-8eb0-4902-9072-59ddee357667@email.android.com>
	<87pplh9q09.fsf@toke.dk> <87ior9ow66.fsf@toke.dk>
	<CAA93jw5=TppxOGegDZj+xn1uWmY=k-GW0MDxrCFmkWoKv4X_aA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAA93jw5=TppxOGegDZj+xn1uWmY=k-GW0MDxrCFmkWoKv4X_aA@mail.gmail.com>
User-Agent: Mutt/1.5.22 (2013-10-16)
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] BCP38 implementation
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2014 20:04:27 -0000

On Thu, Mar 20, 2014 at 10:38:17AM -0700, Dave Taht wrote:

>An example idea is that I average 2 ssh dictionary attacks/sec on some
>of my boxes, and I'd just as soon start dropping connection attempts
>after X number of tries....

That's not hard to do, via the "recent" iptables module.  Here's my
set of custom rules for it.  I set up a "throttle" chain to do the
work:

iptables -N throttle
iptables -A throttle -m recent --update --seconds 1200 --hitcount 4 -j DROP
iptables -A throttle -m recent --set
iptables -A throttle -j ACCEPT

Then after a bit of preliminary filtering I forward incoming ssh and
ftp attempts to the "throttle" chain:

iptables -I INPUT -i ge00 -m conntrack --ctstate NEW -p tcp --dport ssh \
        -j throttle
iptables -I INPUT -i ge00 -m conntrack --ctstate NEW -p tcp --dport ftp \
        -j throttle


-- 
Norman Yarvin					http://yarchive.net/blog