On 1/9/2014 5:26 AM, Øyvind Lode wrote: > Hi: > > I have a few questions about limiting ssh connections. > > I have the following ssh rules in /etc/shorewall/rules: > > # Forward ssh to local machine > SSH(DNAT) net loc:192.168.1.2 > > # Allow ssh to FW from internet > DNAT net fw:192.168.1.1:22 tcp 2222 > > Both sshd instances is configured to only allow key based authentication. > > But I also want to set a connection limit. > > In the shorewall-rules man page I found (example 3 - modified to my setup): > > DNAT net fw:192.168.1.1:22 tcp 2222 - - 3/min:10 > > I have not yet tested if the above will work though.
It is a poor idea to limit overall connections in this way -- if someone is attempting a brute force login, *you* won't be able to log in. A better way to do this is: DNAT net fw:192.168.1.1:22 tcp 2222 - - s:ssh:1/min:3 That will allow up to three logins in a minute *per source IP address* with an overall limit of one login per minute per source IP address. > > In the above example I will allow 3 connections per min with a burst of 10. > > What does burst actually mean? http://www.shorewall.org/configuration_file_basics.htm#RateLimit > > Can I also log the packets that are dropped after exceeding the limit? > Your policy logging should take care of that. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
