[WBEL-users] WBEL 3.0 iptables [SSH Dictionary attacks followup]

[Vic]

> I read a thread from back in March, where a couple of you discussed
> adding a couple of rules to iptables to rate-limit ssh connections via
> the use of libipt_recent.so in the config.

That's not how I do it.

I have a rule that runs a chain called ssh whenever someone tries a new
ssh connection :-

-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ssh

Then I have a list of whitelisted IP addresses in that chain :-

# Vic's home
-A ssh -s 213.232.80.166 -j ACCEPT

Then I have a rule allowing a few connection attempts per minute :-

-A ssh -p tcp -m tcp -m limit -m state --limit 2/minute --limit-burst 2
--state NEW -j ACCEPT

Then I drop anything that hasn't been allowed :-

-A ssh -j DROP

This runs just fine on WBEL3 (which is where I first trialled the idea).

Vic.