 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Wed, Jul 27, 2005 at 10:53:34AM -0400, Derek Atkins wrote: > dsr at tao.merseine.nu writes: > So something like this in /etc/sysconfig/iptables would do what I > wanted? > > -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set Adds the packet info to the ssh recent list > -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 4 -j LOG --log-level WARN --log-prefix SSH-TOO-FAST This logs packets which have appeared 4 times in the last 60 secs > -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 4 -j REJECT --reject-with icmp-host-prohibited This should be --rcheck instead of --update, as the packet count does not need to be updated. > Question: is there some way to have a rule that if one 'recent' > check passed then I can set another one? E.g., I'd like to be able > to do something like: > > if packet matches XX, set badguy > if packet matches YY, set badguy if YY-hitcount >= 4 > if packet matches ZZ, set badguy if ZZ-hitcount >= 6 > if badguy, drop > > I just don't know if you can have multiple "recent name" settings like > this? I think I understand what you want -- anyone who is on any of the idiot lists, drop all packets from them -- but I don't think you can do it this way. -dsr-
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
