On Tue, 25 May 2010, David wrote: > I would like to use CentOS for all. I've a transparent firewall (CentOS > + iptables) and I want to use it as a filter. I've been using iptables > on the server machine (not in transparent firewall), and I want to get > the job done by the firewall. Is it possible if my firewall to do this > task? while being attacked is different computer? sort of, yes. after some investigation and thought, i decided to protect my ssh servers with rate-limiting, using iptables. rate-limiting doesn't care whether a login succeeded or failed, it just detects repeated attempts to connect from the same source address to the same destination port, and blocks any past the first two in a rolling 60-second window (both parameters are of course configurable). this makes it suitable for use on the firewall rather than the endpoint, and i suspect it can be extended to IMAP and similar services (though mail clients that wish to continually make new connections rather than keeping existing ones open and reusing them will run into problems). for sshd, analysis of last week's logs shows that the number of connection attempts rejected this way each day varies from 2,200 to 82,000, while the number of failed logins on sshd varies daily from 2 to 25 - so you can see that this is somewhere between 99% and 99.997% effective at preventing people from getting as far as a password-guessing attack. server load has *substantially* decreased. if this is of interest to you i wrote it the details up at http://www.teaparty.net/technotes/ssh-rate-limiting.html . -- Tom Yates - http://www.teaparty.net