From: Tim Mooney <Tim.Mooney@ndsu.edu>
To: netfilter@vger.kernel.org
Subject: rate-limit ssh for both IPv4 and IPv6
Date: Wed, 22 Mar 2023 13:28:26 -0500 (CDT) [thread overview]
Message-ID: <783937f-4c3b-4520-eb7f-3334ffcdfa0__30928.9479207777$1679510081$gmane$org@ndsu.edu> (raw)
Hi All!
I have a couple of hosts where I need to open SSH to the world. In the
past, with iptables & ip6tables I've used per-source address rate
limiting, so that no single source address can initiate more than say 8
connections in 2 minutes. Without some kind of rate-limit guard, certain
attacks can DoS SSH by tying up all of its MaxStartups.
Note that I really need the rate-limiting to be per source address (v4 or
v6), not just rate-limiting in general.
The nftables wiki and other places on the web have lots of good
information for rate-limiting things like icmp & icmpv6, but I've really
struggled to find a working example of rate-limiting new connections
per source address for an IP-based protocol like SSH when I need to handle
both IPv4 and IPv6.
My understanding from the wiki and the docs is that it is not possible
to mix 'type ipv4_addr' and 'type ipv6_addr' in a set, and most of the
(IPv4-only) examples I've found that do rate-limiting use a set and what
I believe is called "continuation" in a long rule.
With my current experience level with nft, it's not clear to me how to
adjust a single rule that handles only IPv4 with a set to do what I need
for both IPv4 and IPv6 connections to ssh.
Since it likely matters for how to solve this, the environment where this
would be used is
RHEL 8.x with nftables 0.9.3 (+ Red Hat patches)
RHEL 9.x with nftables 1.0.4 (+ Red Hat patches)
When we migrated to nftables, we also switched to having both v4 and v6
rules mixed together on the chains within one "table inet filter".
If there's any other information I can provide that would be useful,
please let me know. If there actually is a good example of this in the
wiki or elsewhere and I've just missed it, please point me at it.
Thanks,
Tim
--
Tim Mooney Tim.Mooney@ndsu.edu
Enterprise Computing & Infrastructure /
Division of Information Technology / 701-231-1076 (Voice)
North Dakota State University, Fargo, ND 58105-5164
next reply other threads:[~2023-03-22 18:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-22 18:28 Tim Mooney [this message]
[not found] <783937f-4c3b-4520-eb7f-3334ffcdfa0@ndsu.edu>
2023-03-22 19:27 ` rate-limit ssh for both IPv4 and IPv6 Kevin P. Fleming
2023-03-22 19:44 ` Tim Mooney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='783937f-4c3b-4520-eb7f-3334ffcdfa0__30928.9479207777$1679510081$gmane$org@ndsu.edu' \
--to=tim.mooney@ndsu.edu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).