NEW "SSH Brute Force " ruleset (20050628.0)

curby . curby.public at
Sat Jul 2 19:13:41 CEST 2005

On 7/1/05, Marius Mertens <marius.mertens at> wrote:
> Add a host to a special whiltelist after doing something special, like
> connecting to a certain port, which would lower the risk of a DOS (they can
> still try, but you can override it)

I've been considering this too.  It's actually a simple form of port
knocking that can be implemented exclusively in iptables (without the
need of extra tools).  The primary goal of port knocking is to foil
port scans, but it could be applicable here.

To protect against DoS, is there any easy way of requiring that three
packets be transferred in an SSH connection before it triggers a
recent update?  Since someone spoofing source IPs to DoS would be
unlikely to continue the connection with the server, such DoS attacks
might be foiled more effectively this way than using rttl (which the
attacker can just exhaustively try all values for).

More information about the netfilter mailing list