Iptables tips and tricks. Limiting the number of connections

From LinuxReviews

If you are using SSH then you will sooner or later notice someone trying to hack into your box using dictionary attacks.

You can use the iptables module recent to limit a minimum time between new connections from the same IP.

To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):

iptables -A INPUT -j ACCEPT -p tcp ! –syn -s 0/0 -d (outer ip/net)

Now, to set the limit:

iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –update –seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –set -j ACCEPT

These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instread if you are using a firewall that has it’s own rule for accepting ssh.

Another way of limiting dictionary attacks is to limit using -m limit –limit <rate> like this:

iptables -A INPUT -p tcp –dport ssh -m limit –limit 3/minute –limit-burst 2 -j ACCEPT

This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.

  1. Iptables tips and tricks. Limiting the number of connections … | Stop Dreaming Start Action

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: