Find the answer to your Linux question:
Results 1 to 4 of 4
I'm trying to secure my ssh port with iptables. So far I successfully limit one ip to connect once a minute: iptables -A INPUT -p tcp --dport 22 -i eth1 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2008
    Posts
    84

    iptables port connection limit rule


    I'm trying to secure my ssh port with iptables. So far I successfully limit one ip to connect once a minute:

    iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
    iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP

    How would I add a rule that limits the total number of connections to 10, on port 22?

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Change the "--hitcount" to a number you want to allow plus 1.

    I have a question are you using passwords to log into ssh or keys?

    While the rule only allows 10 attempt it doesn't worry about connected sessions just new sessions. If someone tries 11 time to connect to ssh then everyone is locked out for 60 sec..

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jun 2008
    Posts
    84
    To clarify, I want two rules:

    1) A connection to port 22 can only be made once every 60 seconds per IP.
    Edit* 2) There can only be 10 new connections to port 22 every 5 minutes, regardless of IP.

    The original two iptables lines I listed enforce rule 1), look here for reference: Using iptables to rate-limit incoming connections.

    I'm trying to build rule 2). I don't want rule 2) to be based on IP, I just want to allow 10 connections from any number of IPs at once to port 22.

  4. #4
    Just Joined!
    Join Date
    Jun 2008
    Posts
    84
    I looked around and people were saying the --limit and --limit-burst would limit concurrent connections, no matter the IP. I only have two comps so I haven't tested it out on multiple machines yet- it works against one.

    iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
    iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP
    iptables -A INPUT -p tcp --dport 22 -i eth1 -m limit --limit 1/minute --limit-burst 10 -j ACCEPT

    I would rather have the --limit rule first, but I haven't found a way for it to say, "continue to the next rule if true, drop if false". Then if someone does a DDOS attack with a big botnet the packets will get dropped before going through two rules.

    Ideally:

    iptables -A INPUT -p tcp --dport 22 -i eth1 -m limit --limit 1/minute --limit-burst 10 -j "continue to the next rule if true, drop if false"
    iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
    iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP
    iptables -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -j ACCEPT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •