Gettig flooded
Gettig flooded
My vps keep getting flooded by some kids.. Is there a way that IPTABLES auto-bann the IP if the IP does too many connections??
Gettig flooded
[quote]
Silfro wrote:
My vps keep getting flooded by some kids.. Is there a way that IPTABLES auto-bann the IP if the IP does too many connections??[/quote]
Hi
You can use [url=http://pkgs.org/download/iptables]iptables[/url] recent module. The following two rules will limit incoming connections to port 22 to no more than 3 attemps in a minute - an more than that will be dropped:
[code]# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP[/code]
Silfro wrote:
My vps keep getting flooded by some kids.. Is there a way that IPTABLES auto-bann the IP if the IP does too many connections??[/quote]
Hi
You can use [url=http://pkgs.org/download/iptables]iptables[/url] recent module. The following two rules will limit incoming connections to port 22 to no more than 3 attemps in a minute - an more than that will be dropped:
[code]# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP[/code]
Re: Gettig flooded
[quote]The following two rules will limit incoming connections to port 22 to no more than 3 attemps in a minute - an more than that will be dropped[/quote]
That would effectively lock yourself out as well, during a flood.[i] Edit: no, it does not; just read up on [url=http://blog.zioup.org/2008/iptables_recent/]'recent'[/url].[/i]
Have a look at fail2ban. That will drop only the incoming connection for the ip-address that's attacking. You can specify how long it should stay banned.
You can whitelist your own ip-address as well.
It's in rpmforge:
[code]Available Packages
fail2ban.noarch 0.8.2-3.el6.rf rpmforge[/code]
That would effectively lock yourself out as well, during a flood.[i] Edit: no, it does not; just read up on [url=http://blog.zioup.org/2008/iptables_recent/]'recent'[/url].[/i]
Have a look at fail2ban. That will drop only the incoming connection for the ip-address that's attacking. You can specify how long it should stay banned.
You can whitelist your own ip-address as well.
It's in rpmforge:
[code]Available Packages
fail2ban.noarch 0.8.2-3.el6.rf rpmforge[/code]