All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 9c0a40a7 authored by Leigh B Stoller's avatar Leigh B Stoller

Rate limit ssh connections in BASIC to 3/60, the openvz nodes

are getting attacked again. I need to switch them all to closed
at some point.
parent 8385aef3
...@@ -126,9 +126,9 @@ iptables -A INPUT -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELA ...@@ -126,9 +126,9 @@ iptables -A INPUT -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELA
# #
# In BASIC, we allow ssh from anywhere on port 22, but we rate limit it. # In BASIC, we allow ssh from anywhere on port 22, but we rate limit it.
# #
iptables -A INPUT -p tcp --syn --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH # BASIC iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH # BASIC
iptables -A INPUT -p tcp --syn --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 100 --hitcount 10 --rttl --name SSH -j DROP # BASIC iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP # BASIC
iptables -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT # BASIC
# #
# Allow outgoing http so we can update packages. # Allow outgoing http so we can update packages.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment