On 21.02.2021 12:12, Toralf Förster wrote:
Would an iptables ruel with "recent" and "limit" be a solution here ? If yes, how do you use that (do you have a code snippet)?
Example SSH:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0]
## Drop incoming connections which make more than 4 connection attempts upon port 22 within ten minutes -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 600 --hitcount 4 -j DROP
## To list these damned IP's: 'nano /proc/net/xt_recent/ssh' or ## 'cat /proc/net/xt_recent/ssh > recent-ssh.txt'
Multiport example: # Up to 15 ports can be specified. A port range (port:port) counts as two ports. # Drop incoming connections which make more than 10 connection attempts upon ports x-y within 1 minute -A INPUT -p tcp -m multiport --dports xx:yy -m state --state NEW -m recent --name syfloo --set -A INPUT -p tcp -m multiport --dports xx:yy -m state --state NEW -m recent --name syfloo --update --seconds 60 --hitcount 10 -j DROP
Be sure to look for ip_list_tot:number of IPs to remember per list cat /sys/module/xt_recent/parameters/ip_list_tot
nifty must increase to 10000 ;-)
https://ipset.netfilter.org/iptables-extensions.man.html --connlimit-upto & --connlimit-above looks interesting too.