crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

On durcit avec du lubrifiant un peu le parefeu pour le bruteforce ssh.

Browse source
This commit is contained in:
Pierre-Elliott Bécue 2015-06-06 01:03:26 +02:00
parent 2838a60501
commit a70205526f
2 changed files with 32 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

3
gestion/gen_confs/firewall4/komaz.py
View file

@ -94,6 +94,7 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-p icmp -j ACCEPT')
self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT')
self.add(table, chain, '-j %s' % blacklist_soft_chain)
self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table))
for net in base.config.NETs['all'] + base.config.NETs['adm'] + base.config.NETs['personnel-ens']:
self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain))
self.add(table, chain, '-j %s' % blacklist_hard_chain)
@ -156,7 +157,7 @@ class firewall(base.firewall_routeur):
if table == 'filter':
pretty_print(table, chain)
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out'])
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 30 --hitcount 10 --rttl -j DROP' % dev['out'])
self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 120 --hitcount 10 --rttl -j DROP' % dev['out'])
print OK
if apply: