| |
| |
| |
|
Comments:
<0> anyone know how to tell how many packets ulogd is dropping?
<1> http://pastebin.com/538766 I was sondering if there were any netfilter/iptable wizards that could tell me why lines 47 and 48 alone in script by themselves work, but if I add these 2 lines to the enclosed script...they no longer limit ssh attempts to 3 per minute....thank you all mighty ones!
<2> capt-rogers, for limiting i use: -m limit --limit 3/second -j ACCEPT
<1> maybe i can add that to my port 22 filter on lines 63 and 64...should that work you think?
<2> capt-rogers, what is lines 49and49 supose to do ?
<2> 47 and 48, sorry
<1> these 2 lines by themselves in a script, will limit ssh attempts to 3 per minute....
<1> i was trying to add these 2 lines to the TMF 3 firewall script so it could then have the ability to limit the ssh attempts....
<2> iptables -t filter -A INPUT -p tcp --dport 22-m limit --limit 3/second -j ACCEPT
<2> sorry, should be an space between 22 and the "-"
<2> and change second for minute :)
<2> and delete other rules
<1> can you repost it again? i am copying and pasting...
<1> will try it out with your changes...hope this works! brb in 5
<2> and lines like 30 and 31, could be simplified by putting out the interface limitation
<2> capt-rogers, that should work, if you delete other rules so they don't match first
<2> i think
<2> capt-rogers, (i supose you will put it where below it says: echo enabling ssh..., so connections which are stablished/related are accepted)
<1> okay i will work on that today....thanks...
<2> capt-rogers, you are welcome
<2> capt-rogers, hope it works :)
<1> echo "Firewall: enabling 22 ssh"
<1> iptables -A INPUT -i eth0 -p tcp --dport 22 -m limit --limit 3/minute -j ACCEPT
<1> iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m limit --limit 3/minute -j ACCEPT
<1> I cant take it off the OUTPUT i think.....just the INPUT is needed to be limited
<2> capt-rogers, they limit different things
<1> when i get it working i will p*** it forward....
<2> capt-rogers, ok
<2> capt-rogers, it doesnt work ?
<1> hang on..testing
<1> okay thats right. i have a script called limitssh and it definitely drops any bad ssh attempts after 3...that tested good. weird iptables not flushing or something..i had to reboot it....
<1> it is just hanging the ssh login attempt...very good....
<2> capt-rogers, no, you dont have to reboot
<1> now i will try and add these lines to the tm4 script and try and make it hang the same way....
<2> capt-rogers, just do it :)
<1> wow, I iptables -F and iptables -Z, and still cannot ssh login...the iptables is not flushing right.....
<2> capt-rogers, i will paste in private rules to flush them all, ok ?
<1> my wow comemnt is incorrect...I forgot to terminate the remote ssh login properly..thus it hung
<1> # allow conntracked access out
<1> iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
<1> iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
<1> echo "Firewall: enabling 22 ssh"
<1> iptables -A INPUT -i eth0 -p tcp --dport 22 -m limit --limit 3/minute -j ACCEPT
<1> iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m limit --limit 3/minute -j ACCEPT
<1> the way it is right here..still permits unlimited ssh attempts...i am missing something.....should i rewrite this differently?
<2> capt-rogers, you are accesing from the lan ?
<1> i am doing the ssh attempts by...locally using my terminal, then ssh to a remote server 400 miles away..and using that to try to ssh in using bad p***words....
<2> do not understand
<1> FREAKING SWEET RATA!!! WE GOT IT MAN! IT IS HANGING LIKE..WELL YOU KNOW!!! DROPPING THOSE BAD SSH ATTEMPTS.....The reason i wanted these 2 lines to work is that the script blocks all traffic except for a specified few as you can see. and now you and I added ssh limiting to it...Sweet!!!!\
<1> pastebin it now..brb in 5
<1> test it okay once more to be 100% sure....
<3> wtf
<3> wtf is rata
<2> capt-rogers, ok... be quiet
<2> jengelh, supose it is me :)
<3> Uh. I heard of SATA and PATA...
<3> capt-rogers : I have that for long time already. (And not only that.)
<3> Hidden
<3> tproxy ain't workin
<3> ah nm
<3> forgot to upgrade userspace
<3> hm neither
<4> It would be a good feature, if iptables could resolve the --to-(source|destination) parameters.
<5> I agree with rob0 on that one
<4> Somehow I figured you might ;)
<4> (We were just discussing it in #iptables)
<2> jaja
<4> The bugzilla.netfilter.org SSL certificate is expired :)
<5> well rob0, I hope the crusade is successful, I'll pick up my mace again when I get home and we can go to crushing the skulls of our oppressors... erm.. I gotta go to the store, so ja ne! >,.,<
<4> :)
<2> rob0, you are triying to redirect to a host with dinamic ip ? or what ?
<4> I am not, I just think it would be convenient. root________ here has an embedded system without dig(1). The way I do it, I use "--to `dig +short hostname.fqdn`", but that's not possible without dig.
Return to
#netfilter
or
Go to some related
logs:
#python
shockwave livna
#php
qemu convert from iso to qcow
cannot open device /dev/input/mice no core pointer debian udev
Have installed external hardrive E, how to add it to my list of files
gxine ubuntu sound problem
But you can use CentOS repos for RHEL3
beagle-build-in
The mbstring PHP extension was not found and you seem to be using a multibyte ch
|
|