Hi Herb,
> You mean you don't have to parse the /var/log/maillog? How do you detect
> the dictionary attackers?
See: http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/
It works like this:
Usually when you have iptables rules, the kernel will examine a TCP/IP packet
and will check if it matches an existing rule. Base on the rule the packet is
either rejected, dropped, forwarded or allowed to pass through. Once that has
happened, the kernel will "forget" about that transaction and processes the
next request.
The kernel module "recent" adds more "brain" to that procedure. The kernel
will keep track of recent TCP/IP traffic. That's where the name comes from.
So you can now create rules like this:
"If this TCP/IP packet is the third connection attempt to port 22 within the
last 60 from the same host, then block it for 30 seconds. For each extra
connection attempt while the ban is in place, extend the ban-time for another
600 seconds".
The URL I posted above has some nice examples which are well commented.
> Is the "recent module" a standard part of IPTables?
Yes, it is a standard kernel module, which is included in the 2.6-kernel on
CentOS / BlueQuartz.
--
With best regards,
Michael Stauber