Am 04.05.2012 11:37, schrieb jdow: > But, then, I note your setting with --recent is not nearly as stringent as > mine. Any given address gets one connection per minute to ssh. That VASTLY > slows down dictionary attacks. Yours is a significant slow down; but, not > so much that somebody could not, as you put it, nibble around the edges to > get in. You have slowed down such attacks, though. That is good. > > It would be handy if there was an iptables rule that allowed skipping the > next rule in order if the special rule hit. Alas, I am unaware of such a > trick potential.
my sshd has a sepearte rule the intention of this rule is not to block it is a rate-control against DOS attacks since we had "Anonymous" with a distributed DOS attack last week i can say it works damned good - after replacing a burned down router :-) clearly you can not stand the whole DDOS from some thousand source IPs but it gives you enough time to filter them for a DROP rule - without this ratecontrol you could not operate on the machine before the DDOS it was limited to 100 connections/ip/second which results in "ab -c 50 -n 50000 http://host-on-machine/"; raise CPU load up to 100% for a short time, go down to 50% and changing between this both states (sorry baout bad english) with 75 instead of 100 evebn a "ab -c 4 -n 1000" is completly broken from outside the own network because "apache benchmark" thinks the host is dead after 83 connections and stops due too many errors - well, i guess exactly that is the problem for Nessus/OpenVAS and such software from outside now they triggered it all time before with portscans but only not notice
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
