CentOS docs - Dec 2013 - Error in SecuringSSH Iptables Description

The description for the iptables -m limit rule is incorrect[1], and I don't
have edit permissions to fix it:

"The first line will accept new connections on port 22 provided that IP
address hasn't made more than 3 connection attempts in the last
minute."

Should read more like:

"The first line will accept new connections on port 22 provided there
haven't been more than 3 connection attempts across all clients in the last
minute."

Important distinction as it opens you up to being denied login when anyone
tries to brute force.
Might be worth dropping the limit example altogether since the preceding -m
recent example is far safer.

--
-Eli


[1] Third set of rules on
http://wiki.centos.org/HowTos/Network/SecuringSSH#head-a296ec93e31637aa349538be07b37f67d836688a
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos-docs/attachments/20131228/3109fb93/attachment-0006.html>

On 28/12/13 17:57, Eli L. wrote:
> The description for the iptables -m limit rule is incorrect[1], and I
don't
> have edit permissions to fix it:
>
> "The first line will accept new connections on port 22 provided that
IP
> address hasn't made more than 3 connection attempts in the last
minute."
>
> Should read more like:
>
> "The first line will accept new connections on port 22 provided there
> haven't been more than 3 connection attempts across all clients in the
last
> minute."
>
> Important distinction as it opens you up to being denied login when anyone
> tries to brute force.
> Might be worth dropping the limit example altogether since the preceding -m
> recent example is far safer.
>
> --
> -Eli
>
>
> [1] Third set of rules on
>
http://wiki.centos.org/HowTos/Network/SecuringSSH#head-a296ec93e31637aa349538be07b37f67d836688a
>
>
Many thanks for the feedback.

As you say, that example doesn't really add anything over and above the 
first example so as suggested I've removed it.