On 06 21, 06, at 10:44 PM, Jim Sandoz wrote:
jett,
if i understand your question, you want:
1) outbound ssh unlimited, i.e. works all of the time.
*and*
yes this is correct.
2) inbound ssh limited to 1 hour per day (say 1300->1400).
is this correct?
Yes. but 1 hour here is an example only.
ipf by itself can not do this. basically you need to have two
rulesets, the second of which incorporates a pass IN for tcp/22.
then, you can use cron to swap between the two rulesets at the
times you need to.
Actually i have done this using Juan J. Martinez's ssh_blocker script
which i modified to support IPFilter. The only thing is that it uses
cron to do its job.
I'm actually running it to block brute-force attacks every 3mins and
it works fine. Nothing personal
with using cron but anybody can "tweak" the brute-force script to
force dictionary attacks
on my sshd server say for example 500 times/minute so in 3mins that
would be
1500 user/pass combinations. Compared to using connection-limit, i
can set a threshold
say 10 connections per ipaddress for 5 secs after which that
ipaddress would automatically be blocked.
