Thanks all! I have now decided on how to implement this and the new config is live.
But I will not announce it on the list. I actually now see connection attempts on tcp 2222 from India after I announced the port on this list. A coincident? I don't think so :) -----Original Message----- From: Simon Hobson [mailto:[email protected]] Sent: 9. januar 2014 16:02 To: Shorewall Users Subject: Re: [Shorewall-users] Limit ssh connections to reduce brute force attacks Øyvind Lode <[email protected]> wrote: > In the shorewall-rules man page I found (example 3 - modified to my setup): > > DNAT net fw:192.168.1.1:22 tcp 2222 - - 3/min:10 > > I have not yet tested if the above will work though. > > In the above example I will allow 3 connections per min with a burst of 10. > > What does burst actually mean? Easiest way to think of it is like a bucket with a leak. When you get a connection attempt, you throw a token in the bucket - but if the bucket is full you drop the connection. All the time, tokens leak out of the bucket, thus allowing future connections after a delay. The rate is like the size of the hole in the bucket - in this case 3 tokens per min. Burst is like the size of the bucket - in this case 10 tokens. So if you've had no connections for a while, and then get a lot, you'll allow a burst of 10 connections before you start rate limiting. After that initial burst, you'll rate limit to 3/min. If the connections stop (or slow down), then the bucket can drain and you'll build up a burst capability again. But bear in mind that rate limiting the connections like this will present a DOS opportunity. From observation, many attackers just don't give up so they'll carry on hammering your connection. If you try and login yourself during this time, statistically you'll struggle to hit one of those moments when the bucket has drained enough to allow one more connection. I'd suggest also looking at fail2ban (or something similar). You can configure the number of attempts (and over what time span) before the IP address is blocked. It won't help against a distributed attack, but my experience is that those aren't that common - and in any case, each address would only get (say) 3 attempts before being blocked. ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
