On Tue, Aug 19, 2008 at 5:04 PM, Kenneth Porter shiva@sewingwitch.com wrote:
--On Tuesday, August 19, 2008 10:15 AM -0500 David Dyer-Bennet dd-b@dd-b.net wrote:
That's the right general approach; duplicate the drop rule but with a LOG target and appropriate logging parameters.
Another approach is to create a subchain that just logs and drops (no match rules), and in your main chain you match on the desired packet and jump to the subchain. That eliminates the need to maintain the same match in two places, and reduces the number of rules a non-dropped packet has to pass through.
Could you post a sample, using the OP's example as a base?
Thanks.
mhr
Hi,
On Tue, Aug 19, 2008 at 21:23, MHR mhullrich@gmail.com wrote:
Another approach is to create a subchain that just logs and drops (no match rules), and in your main chain you match on the desired packet and jump to the subchain. That eliminates the need to maintain the same match in two places, and reduces the number of rules a non-dropped packet has to pass through.
Could you post a sample, using the OP's example as a base?
Sure!
# create a chain to log and drop iptables -N LOGANDDROP # in that chain, log and then drop any package that gets there iptables -A LOGANDDROP -j LOG --log-prefix 'SSH attack: ' iptables -A LOGANDDROP -j DROP # and in INPUT, send any SSH package with more # than 5 hits per minute to that chain iptables -A INPUT -p tcp --dport 22 -m state --state NEW \ -m recent --update --seconds 60 --hitcount 5 \ --rttl --name SSH -j LOGANDDROP
The name LOGANDDROP could probably be improved... Maybe SSHATTACK would be more appropriate.
HTH, Filipe