From 811fdac32d4fbcdc3b4d9238545f90a9656dee58 Mon Sep 17 00:00:00 2001 From: Robert Langhammer Date: Fri, 12 Feb 2021 01:55:20 +0100 Subject: [PATCH] fff-firewall: Add ipv4 ssh connection limit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With commit [1] the ipv4 firewall on wan interface was removed. This patch adds the ssh connection limit for ipv4. IPv6 is already limited. [1] 52e15e072cff ("fff-firewall: Remove ssh firewall on WAN interface") Signed-off-by: Robert Langhammer Reviewed-by: Fabian Bläse [improve commit reference] Signed-off-by: Adrian Schmutzler --- src/packages/fff/fff-firewall/Makefile | 2 +- .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 75ecb6ce..6384a899 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-firewall -PKG_RELEASE:=6 +PKG_RELEASE:=7 include $(INCLUDE_DIR)/package.mk diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh index bb18657f..74458a35 100644 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh @@ -1,3 +1,5 @@ # Limit ssh to 6 new connections per 60 seconds /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP +/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear +/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP