Re: DenyHosts

Sat, 16 Jan 2016 09:17:00 -0800 

        Hi.

On Sat, 16 Jan 2016 12:02:57 -0500
Steve Matzura <s...@noisynotes.com> wrote:

> Well, I thought I was doing so well. I discover now that no one,
> including me, can get into my system any more via ssh. Here are the
> current iptables rules:
> 
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
> hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
> --hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
> 60000 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
> hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
> --hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
> 60000 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
> hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
> --hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
> 60000 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
> hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
> --hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
> 60000 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
> hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
> --hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
> 60000 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m
> hashlimit --hashlimit-upto 1/hour --hashlimit-burst 16
> --hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire
> 60000 -j ACCEPT
> COMMIT
> 
> What'd I do?
> 

Exactly this:

iptables -F INPUT
iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
        -m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
        --hashlimit-mode srcip --hashlimit-name ssh \
        --hashlimit-htable-expire 60000 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
        -j DROP

Note that the order of netfilter rules is top-down (i.e. highest
matching rule plays).
So, first rule on your current list, namely:

-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP

blocked anyone from using ssh.

Reco

Reply via email to