Re: IPTables rules and hosts that use DHCP

K. Jennings staggered into the Black Sun and said:
On Thu, 27 Dec 2007 14:03:59 -0600, Moe Trin wrote:
K. Jennings wrote:
I have a set of IPTables rules to keep SSH attacks at bay.
Essentially, the rules blacklist hosts that attempt to connect more
than three times within a 30 second time interval. I also have an
IPTables rule that exempts some hosts from such constraints - that
is, SSH connections from such hosts are accepted at any connection
rate.
Do you really need to allow access to the entire world?
I have to allow a priori potential access from anywhere.

Yes, but is there a reason you can't throttle everywhere? You mentioned
throttling and never went back to it; is this intentional?

one of those hosts uses DHCP, and its IP address changes with time. I
I'm assuming that "A" is some remote host you want to allow. There
really isn't a dynamic way out of things. What I've been doing is to
allow access to the pool of addresses that the allowed host may get
assigned.
The problem that I have is that A seems to be able to take up a wide
variety of IP addresses. They don't seem to be constrained to a
specific network, as far as I can tell. Indeed, not even the first
components of the IP addresses used are always the same.

Port knocking? knockd , knock , a few rules like so:

[example]
sequence = 102:udp,333:tcp,525:udp,8000:tcp
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT

....any IP provides the right sequence of knocks to the server running
knockd, that IP gets an obvious iptables rule change for it. Downside
is that you have to install knock or its 'Doze equivalent on the client
machines. (The last rule in INPUT is of course -p tcp --dport 22 -j
REJECT here.)

Do you HAVE to have your SSH server on port 22,
The problem is that some people who would like to connect to my boxes
work with ISPs that do traffic management, and connections to
non-standard ports are severely limited, performance-wise,

How annoying. But interactive ssh sessions are generally OK on a thin
pipe. Are you scp'ing tons of crap, or tunneling other traffic?

--
"We all get our dreams stamped on from time to time, right? If it
didn't hurt, then what kind of second-rate dreams would they be?"
--Richard K. Morgan, _Woken Furies_
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see
.

Relevant Pages

  • Re: [SLE] Fetchmail and fetchmailconf
    ... >> fetchmailconf on. ... Why do you have localhost.localdomain and then have other hosts as ... Change the localhost entry to just: ... No need to put the FULL domain name a second time as the second (or ...
    (SuSE)
  • Re: Very slow SMB performance on one interface of a multi-homed server
    ... Seven multi-homed hosts are connected to a fast ethernet office LAN on ... one interface and a private gigabit network on the other. ... Of the seven hosts, four are Windows 2000 server and three are XP. ... Connections using the office LAN and, ...
    (microsoft.public.windows.server.networking)
  • Problem with IP Masquerade and MTUs
    ... A month or so ago I started having a problem with TCP connections that just ... when connecting to hosts on the other side of my VPN ... large packets don't go through. ... which is precisely the MTU for my IPSEC interface. ...
    (comp.os.linux.networking)
  • Re: sendmail gateway overrunning my internal mailhost
    ... > internal SMTP and POP hosts. ... The sendmail server is opening connections ... have more than one gateway host. ...
    (comp.mail.sendmail)
  • Re: no RD connection, despite XP Pro on both
    ... You normally can not "browse" for RD hosts in a work group environment. ... > understand that Terminal servers were the old, ... > desktop connections. ...
    (microsoft.public.windowsxp.work_remotely)