For bruteforce protection I have this chain:
Code:
-A bruteprotect -m recent --set --name BRUTEFORCE --rsource
-A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j RETURN
-A bruteprotect -j LOG --log-prefix "[DROP BRUTEFORCE] : " --log-tcp-options --log-ip-options
-A bruteprotect -j DROP
I can call that chain to protect my SSH-server
Code:
-A INPUT -p tcp -m tcp --dport 22 -j bruteprotect
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
I wanted to use this same procedure to protect a DNS-server from silly Apple requests like this.
The following example should not be used for this purpose!!:
Code:
-A dnsbugtest -m length ! --length 89 -j RETURN
-A dnsbugtest -m string --algo kmp --string ! "dnsbugtest" -j RETURN
-A dnsbugtest -m recent --set --name DNSBUGTEST --rsource
-A dnsbugtest -m recent ! --update --seconds 60 --hitcount 5 --name DNSBUGTEST --rsource -j RETURN
-A dnsbugtest -j LOG --log-prefix "[DROP dnsbugtest] : " --log-tcp-options --log-ip-options
-A dnsbugtest -j DROP
It
does work in that it detects that exact DNS-requests (the 1st part), but after it reaches the threshold of 5 it will block that request for as long as it keeps trying, which is forever....
That may be what you want if someone tries to login to your SSH-server, but you don't want this with such kind of traffic.
After a minute I want to allow him again for another 5 requests.
I dismissed the limit rule because it doesn't keep different tables for each remote IP.
I experimented a while with rcheck / set and update but in the end I got a headache.
I am interested in a blocking method like the 1st example with the difference that it should ignore subsequent tries...
At the moment I'm not interested in info about 'dnsbugtest' itself, but may be later on.