ddos defence?
Paul Allen Newell
pnewell at cs.cmu.edu
Wed Jan 18 07:07:58 UTC 2012
On 1/17/2012 8:43 PM, jdow wrote:
>
> This is a set if iptables rules that essentially "deals" with packets
> that
> come in too fast. Anything more than one attempt in one minute is
> logged and
> rejected. You can also forgo logging and DROP the packet if you wish.
> (This
> specifically drops ssh packets. But it can be triggered by almost any
> attempt
> to connect to your system, whether it fails or not.) Got no logging drop
> the second line and its continuations. To DROP instead of REJECT change
> the third line's REJECT to DROP.
>
> iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack
> --set
> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
> --log-level info
> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
>
> If the normal traffic to the site is really light 180 seconds works nice.
> If it's quite light 60 seconds is fine. If it's modest perhaps 10 seconds
> is OK. I'd not use it on a site with Google level traffic, of course.
>
> {^_^}
jdow:
How does one add a rule to this that allows LAN attempts to not be
subject to this rule? Often when I need to sync things up, I ssh to all
machines in the LAN and can do more than one within 60 seconds. Normal
traffic is expected to be near nil, but the blast of everyone ssh's to
everyone does happen.
Thanks in advance,
Paul
More information about the users
mailing list