From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-security+bounces-281-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RKiyU-0005Cy-As
	for garchives@archives.gentoo.org; Mon, 31 Oct 2011 03:55:50 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id EA08A21C103
	for <garchives@archives.gentoo.org>; Mon, 31 Oct 2011 03:55:49 +0000 (UTC)
Received: from powerman.sky.net.ua (as-45-33.lns1-4c.kharkov.ukrtel.net [82.207.89.161])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j92Mh66B010056
	for <gentoo-security@lists.gentoo.org>; Sun, 2 Oct 2005 22:43:06 GMT
Received: (qmail 3058 invoked by uid 1000); 3 Oct 2005 01:53:53 +0300
Date: Mon, 3 Oct 2005 01:53:53 +0300
From: Alex Efros <powerman@sky.net.ua>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Message-ID: <20051002225353.GN3481@home.power>
Mail-Followup-To: Alex Efros <powerman@sky.net.ua>,
	gentoo-security@lists.gentoo.org
References: <43404CB8.3@lunatic.net.nz> <000001c5c797$aa732870$0200080a@SPRITE>
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000001c5c797$aa732870$0200080a@SPRITE>
User-Agent: Mutt/1.5.8i
X-Archives-Salt: e53094e9-ba8d-41a2-8094-e1c243519880
X-Archives-Hash: 60c0b886419e0c2d9101b45b60a1861f

Hi!

On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
> These are the rules that I'm using.
> 
> # Track connections to SSH
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
> FIN,ACK \
>    --dport 22 -m recent --name SSH --set
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
>    --dport 22 -m recent --name SSH --set
> 
> # Drop if connection rate exceeds 4/minute
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>    --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
> "SSH_limit: "
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>    --rcheck --seconds 60 --hitcount 4 -j DROP
> 
> # Drop if connection rate exceeds 20/hour
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>    --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
> "SSH_limit: "
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>    --rcheck --seconds 3600 --hitcount 20 -j DROP

What about DoS because of these rules? Imagine somebody run SSH
connections to your host every 10 seconds while you don't have
already-opened SSH connection to server...... In this case you never
will have a chance to log in to your server (and fix this issue)?!

-- 
			WBR, Alex.
-- 
gentoo-security@gentoo.org mailing list