[Cerowrt-devel] BCP38 implementation

Norman Yarvin yarvin at yarchive.net
Sat Mar 22 16:04:24 EDT 2014

On Thu, Mar 20, 2014 at 10:38:17AM -0700, Dave Taht wrote:

>An example idea is that I average 2 ssh dictionary attacks/sec on some
>of my boxes, and I'd just as soon start dropping connection attempts
>after X number of tries....

That's not hard to do, via the "recent" iptables module.  Here's my
set of custom rules for it.  I set up a "throttle" chain to do the

iptables -N throttle
iptables -A throttle -m recent --update --seconds 1200 --hitcount 4 -j DROP
iptables -A throttle -m recent --set
iptables -A throttle -j ACCEPT

Then after a bit of preliminary filtering I forward incoming ssh and
ftp attempts to the "throttle" chain:

iptables -I INPUT -i ge00 -m conntrack --ctstate NEW -p tcp --dport ssh \
        -j throttle
iptables -I INPUT -i ge00 -m conntrack --ctstate NEW -p tcp --dport ftp \
        -j throttle

Norman Yarvin					http://yarchive.net/blog

More information about the Cerowrt-devel mailing list