On Thu, 30 Mar 2006, Jeff Rosowski wrote:

> You can also use iptables for rate limiting, ala adding the following to
> your existing iptables configuration:
>
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ALLOWED
>
> :ALLOWED - [0:0]
> -A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A ALLOWED -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 3/min --limit-burst 3 -j ACCEPT
> -A ALLOWED -p tcp -j LOG --log-prefix " DROP RATE_LIMIT " --log-tcp-options --log-ip-options
> -A ALLOWED -p tcp -j REJECT --reject-with icmp-port-unreachable
>
> That limits the bad connections to 3 per minute, and you don't have to
> worry about DOSing yourself.


I've seen a number of iptables rules with this basic idea, but they
don't actually tell the difference between bad and good connections
(I confirmed with Jeff that this was the case here). This means a
self-inflicted denial of service is possible (maybe even probable
depending on your environment). Before deploying an iptables rule
that does this, you should check your logs and make sure you don't
have legitimate traffic with that sort of frequency. As an example
from one server I manage, here's a sanitized log excerpt showing a
single user making six legitimate connections within one minute (I
know they're legit because I know the user). I'm nearly certain this
is from either web editing or file transfer software that speaks SSH,
but isn't smart enough to transfer files in a single connection.


Mar 1 12:36:09 fiat sshd[15614]: Accepted password for someuser from ###.###.###.### port 50391 ssh2
Mar 1 12:36:09 fiat sshd[15614]: subsystem request for sftp
Mar 1 12:36:09 fiat sshd(pam_unix)[15614]: session opened for user
someuser by (uid=0)
Mar 1 12:36:11 fiat sshd(pam_unix)[15614]: session closed for user
someuser
Mar 1 12:36:18 fiat sshd[15669]: Accepted password for someuser from
###.###.###.### port 50392 ssh2
Mar 1 12:36:18 fiat sshd[15669]: subsystem request for sftp
Mar 1 12:36:18 fiat sshd(pam_unix)[15669]: session opened for user
someuser by (uid=0)
Mar 1 12:36:18 fiat sshd(pam_unix)[15669]: session closed for user
someuser
Mar 1 12:36:20 fiat sshd[15677]: Accepted password for someuser from
###.###.###.### port 50393 ssh2
Mar 1 12:36:20 fiat sshd[15677]: subsystem request for sftp
Mar 1 12:36:20 fiat sshd(pam_unix)[15677]: session opened for user
someuser by (uid=0)
Mar 1 12:36:23 fiat sshd(pam_unix)[15677]: session closed for user
someuser
Mar 1 12:36:31 fiat sshd[15706]: Accepted password for someuser from
###.###.###.### port 50394 ssh2
Mar 1 12:36:31 fiat sshd[15706]: subsystem request for sftp
Mar 1 12:36:31 fiat sshd(pam_unix)[15706]: session opened for user
someuser by (uid=0)
Mar 1 12:36:31 fiat sshd(pam_unix)[15706]: session closed for user
someuser
Mar 1 12:36:35 fiat sshd[15715]: Accepted password for someuser from
###.###.###.### port 50395 ssh2
Mar 1 12:36:35 fiat sshd[15715]: subsystem request for sftp
Mar 1 12:36:35 fiat sshd(pam_unix)[15715]: session opened for user
someuser by (uid=0)
Mar 1 12:36:46 fiat sshd(pam_unix)[15715]: session closed for user
someuser
Mar 1 12:36:52 fiat sshd[15757]: Accepted password for someuser from
###.###.###.### port 50396 ssh2
Mar 1 12:36:52 fiat sshd[15757]: subsystem request for sftp
Mar 1 12:36:52 fiat sshd(pam_unix)[15757]: session opened for user
someuser by (uid=0)
Mar 1 12:36:53 fiat sshd(pam_unix)[15757]: session closed for user
someuser

--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | broot@ischool.utexas.edu
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew