Connection Limit Using Iptables

To solve the problem i had with dictionary attack on ssh i had to limit the connections for every ip.

The is one way described in FloodBlocking but its has a lot of disadvantages.

The new way of solving the problem is to use iptables and module ipt_limit.

An example is probably the simplest way to illustrate how it works. The following two rules will limit incoming connections to port 22 to no more than 3 attemps in a minute - an more than that will be dropped:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 

The second rule is where the magic actually happens. The --update flag tests whether the IP address is in the list of recent connections, in our case each new connection on port 22 will be in the list because we used the --set flag to add it in the preceeding rule.

Once that's done the --seconds flag is used to make sure that the IP address is only going to match if the last connection was within the timeframe given. The --hitcount flag works in a similar way - matching only if the given count of connection attempts is greater than or equal to the number given.

Together the second line will DROP an incoming connection if:

• The IP address which initiated the connection has previously been added to the list and
• The IP address has sent a packet in the past 60 seconds and
• The IP address has sent more than 4 packets in total.

You should adjust --seconds and --hitcount flags to your needs.

The above commands can be use to limit connections for others ports like http...

More info: http://www.debian-administration.org/articles/187

-- KlausO - 28 Jan 2007