From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Thu, 18 Oct 2007 10:46:43 +0400 From: Timur Batyrshin To: sysadmins@lists.altlinux.org Message-ID: <20071018104643.7f788fc1@batyrshin.ieml.ru> In-Reply-To: References: <20071010093734.42b1874d@batyrshin.ieml.ru> <20071017170500.39b79559@batyrshin.ieml.ru> Organization: IEML X-Mailer: Claws Mail 2.10.0cvs158 (GTK+ 2.10.6; i586-alt-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0255], KAS30/Release X-SpamTest-Info: Not protected X-Anti-Virus: Kaspersky Anti-Virus for MailServers 5.5.10/RELEASE, bases: 18102007 #410761, status: clean Subject: Re: [Sysadmins] IDS lists X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Oct 2007 06:46:56 -0000 Archived-At: List-Archive: Vladimir V. Kamarzin (Thu, 18 Oct 2007 11:22:49 +0600): > >> =D0=9F=D1=80=D0=B8=D0=BC=D0=B5=D1=80 =D0=B1=D0=BB=D0=BE=D0=BA=D0=B8=D1= =80=D0=BE=D0=B2=D0=BA=D0=B8 ssh =D0=BE=D1=82 asy@: > >>=20 > >> # cat /etc/net/ifaces/top/fw/iptables/filter/INPUT > >> [...] > >> # ssh restriction > >> -p TCP --syn --dport 22 -s xxx.xxx.xxx.0/28 -j ACCEPT > >> -p TCP --syn --dport 22 -m recent --name ssh_rate_limit --set > >> -p TCP --syn --dport 22 -m recent --name ssh_rate_limit --update > >> --seconds 60 --hitcount 4 -j LOG > >> -p TCP --syn --dport 22 -m recent --name ssh_rate_limit --update > >> --seconds 60 --hitcount 4 -j DROP >=20 > TB> =D0=90 =D0=B2 =D0=BF=D0=BE=D1=81=D0=BB=D0=B5=D0=B4=D0=BD=D0=B5=D0=BC= =D1=81=D0=BB=D1=83=D1=87=D0=B0=D0=B5 =D0=BD=D0=B5 =D0=BB=D1=83=D1=87=D1=88= =D0=B5 =D0=B1=D1=83=D0=B4=D0=B5=D1=82 --rcheck =D0=B2=D0=BC=D0=B5=D1=81=D1= =82=D0=BE --update ? > TB> =D0=98=D0=BD=D0=B0=D1=87=D0=B5 =D0=BA=D0=B0=D0=B6=D0=B4=D1=8B=D0=B9 = syn =D0=B1=D1=83=D0=B4=D0=B5=D1=82 =D1=81=D1=87=D0=B8=D1=82=D0=B0=D1=82=D1= =8C=D1=81=D1=8F =D0=B4=D0=B2=D0=B0=D0=B6=D0=B4=D1=8B. >=20 > =D0=9A=D0=B0=D0=BA =D0=B2=D1=8B =D1=8D=D1=82=D0=BE =D0=BE=D0=BF=D1=80=D0= =B5=D0=B4=D0=B5=D0=BB=D0=B8=D0=BB=D0=B8? >=20 =D0=92=D1=8B=D0=B4=D0=B5=D1=80=D0=B6=D0=BA=D0=B0 =D0=B8=D0=B7 man-=D0=B0: --- [!] --rcheck Check if the source address of the packet is currently in the list. [!] --update Like --rcheck, except it will update the "last seen" timestamp if it matches. --- =D0=9F=D1=80=D0=B0=D0=B2=D0=B4=D0=B0, =D1=81 =D0=B4=D1=80=D1=83=D0=B3=D0=BE= =D0=B9 =D1=81=D1=82=D0=BE=D1=80=D0=BE=D0=BD=D1=8B: --- [!] --hitcount hits This option must be used in conjunction with one of --rcheck or --update. When used, this will nar- row the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame. --- =D0=9D=D0=B5 =D1=81=D0=BE=D0=B2=D1=81=D0=B5=D0=BC =D0=BF=D0=BE=D0=BD=D1=8F= =D1=82=D0=BD=D0=BE, =D1=81=D1=87=D0=B8=D1=82=D0=B0=D0=B5=D1=82 =D0=BE=D0=BD= =D1=81=D0=B0=D0=BC=D0=B8 =D0=BF=D0=B0=D0=BA=D0=B5=D1=82=D1=8B (=D0=B2 =D1= =8D=D1=82=D0=BE=D0=BC =D1=81=D0=BB=D1=83=D1=87=D0=B0=D0=B5, =D0=B4=D0=B5=D0=B9=D1=81=D1=82=D0=B2=D0=B8=D1=82=D0=B5=D0=BB=D1=8C=D0=BD=D0= =BE, =D0=BD=D0=B5 =D0=B2=D0=B0=D0=B6=D0=BD=D0=BE =D1=81=D0=BA=D0=BE=D0=BB= =D1=8C=D0=BA=D0=BE =D1=80=D0=B0=D0=B7 --update =D0=B2=D1=81=D1=82=D1=80=D0= =B5=D1=87=D0=B0=D0=B5=D1=82=D1=81=D1=8F =D0=B2 =D1=86=D0=B5=D0=BF=D0=BE=D1= =87=D0=BA=D0=B5) =D0=B8=D0=BB=D0=B8 =D0=B6=D0=B5 =D1=81=D0=BE=D0=B2=D0=BF=D0=B0=D0=B4=D0=B5=D0=BD=D0=B8=D1=8F = =D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?