s/cooldown/cooloff/g

This commit is contained in:
Ryan Cavicchioni 2019-09-02 17:54:36 +00:00
parent 3e8161f350
commit db3ccb5769
Signed by: ryanc
GPG Key ID: 877EEDAF9245103D
5 changed files with 5 additions and 5 deletions

View File

@ -60,7 +60,7 @@ firewall_limit_ssh_hitcount: 10
firewall_bogon_interface: "{{ ansible_default_ipv4.interface }}" firewall_bogon_interface: "{{ ansible_default_ipv4.interface }}"
# ipset's # ipset's
firewall_ipset_scanner_timeout: 600 firewall_ipset_cooloff_timeout: 600
firewall_ipset_blacklist: {} firewall_ipset_blacklist: {}

View File

@ -25,6 +25,7 @@
{% if firewall_limit_ssh %} {% if firewall_limit_ssh %}
-N LIMIT_SSH -N LIMIT_SSH
-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v6 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
-A LIMIT_SSH -m recent --set --name SSH --rsource -A LIMIT_SSH -m recent --set --name SSH --rsource
{% if firewall_use_ulogd %} {% if firewall_use_ulogd %}
-A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-prefix "[iptables SSH BRUTE] " -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-prefix "[iptables SSH BRUTE] "
@ -32,7 +33,6 @@
-A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
{% endif %} {% endif %}
-A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v6 src -A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v6 src
-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v6 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
-A LIMIT_SSH -j ACCEPT -A LIMIT_SSH -j ACCEPT
{% endif %} {% endif %}

View File

@ -12,4 +12,4 @@ add {{ name }} {{ ip_or_net }}
{{ render_ipset(firewall_ipset_bogons.v4, 'bogons_v4') }} {{ render_ipset(firewall_ipset_bogons.v4, 'bogons_v4') }}
{{ render_ipset([], 'cooloff_v4', type="hash:ip", timeout=firewall_ipset_scanner_timeout) }} {{ render_ipset([], 'cooloff_v4', type="hash:ip", timeout=firewall_ipset_cooloff_timeout) }}

View File

@ -12,4 +12,4 @@ add {{ name }} {{ ip_or_net }}
{{ render_ipset(firewall_ipset_bogons.v6, 'bogons_v6') }} {{ render_ipset(firewall_ipset_bogons.v6, 'bogons_v6') }}
{{ render_ipset([], 'cooloff_v6', type="hash:ip", timeout=firewall_ipset_scanner_timeout) }} {{ render_ipset([], 'cooloff_v6', type="hash:ip", timeout=firewall_ipset_cooloff_timeout) }}

View File

@ -25,6 +25,7 @@
{% if firewall_limit_ssh %} {% if firewall_limit_ssh %}
-N LIMIT_SSH -N LIMIT_SSH
-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v4 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
-A LIMIT_SSH -m recent --set --name SSH --rsource -A LIMIT_SSH -m recent --set --name SSH --rsource
{% if firewall_use_ulogd %} {% if firewall_use_ulogd %}
-A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-prefix "[iptables SSH BRUTE] " -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-prefix "[iptables SSH BRUTE] "
@ -32,7 +33,6 @@
-A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
{% endif %} {% endif %}
-A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v4 src -A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v4 src
-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v4 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
-A LIMIT_SSH -j ACCEPT -A LIMIT_SSH -j ACCEPT
{% endif %} {% endif %}