[KLUG Members] auto-nullrouting

[Bruce Smith]

> > And if you really want to block, I have some netfilter (iptables)
> > rules that will block port 22 for awhile after detecting a high
> > frequency of connections in a short period of time.
> 
> That's what I want to do, yes.  :)

The only issue with this solution is netfilter cannot distinguish a
successful SSH login from a failed SSH login.  That's not a problem for
me but YMMV, so let me explain further to see if it'll work for you.

Basically it counts the number of _initial_ connects (SYN) to port 22
from a single IP and if it receives "X" number of initial connects in
"Y" seconds, then it blocks that IP for "Z" minutes.

So if your users login and off VERY frequently in a VERY SHORT period of
time, this could be a problem.  The same applies to SCP since it's a
connect too (they do a lot of SCP's one after another).

Once a user is logged in they can do anything they want and it's only a
single connect.  And I believe SCP's with wildcards (*) only count as a
single connect.

If your want to give it a try, check out my post w/example here:

http://sourceforge.net/mailarchive/message.php?msg_id=10985134

 - BS