ryanc/ansible
1
0
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

Use ipsets for cool off period

Browse Source
This commit is contained in:
Ryan Cavicchioni
2019-08-30 02:34:58 +00:00
parent 41c2343f75
commit a44a6540ba
5 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/firewall/templates/iptables.j2
View File

@@ -17,7 +17,8 @@
-N LIMIT_SSH
-A LIMIT_SSH -m recent --set --name SSH --rsource
-A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
-A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
-A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v4 src
-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v4 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
-A LIMIT_SSH -j ACCEPT
{% endif %}