I''ve found the below rule, is it possible to use it with shorewall? I see how to setup the timing/rates but how to perform loggin of such action (a separate rule?). as an additional question is i possible to dynamically add hosts to blacklist and persist this between restarts? " SSH -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: " -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j DROP -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT --to-destination $INTERNAL:22 -A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination $INTERNAL:22 This will drop all incoming SSH requests from an individual IP after 3 attempts are made within ten minutes, for ten minutes, and log the attempt to the syslog. This is a forwarded example but the same thing will work on the input chain. " CUIN Kaczy
Andrzej Kaczmarczyk wrote:> I''ve found the below rule, is it possible to use it with shorewall? > I see how to setup the timing/rates but how to perform loggin of such > action (a separate rule?).This issue has been exhaustively discussed on this list within the last month. Please check the archives.> > as an additional question is i possible to dynamically add hosts to > blacklist and persist this between restarts? >Not if you implement the blocking rules, no. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Andrzej Kaczmarczyk wrote:>> as an additional question is i possible to dynamically add hosts to >> blacklist and persist this between restarts? >> > > Not if you implement the blocking rules, no.Actually, that''s not true -- if you write code to parse the Shorewall log in real time and watch for the log messages generated by your SSH-blocking action then you could add the source IP address to your dynamic blacklist. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key