Taylorbyte.com

IT solutions, linux hosting, web design and computer services

Author Topic: fail2ban replacement for ipv6 ssh  (Read 6607 times)

brenton

  • Administrator
  • Newbie
  • *****
  • Posts: 5
    • View Profile
    • Taylorbyte.com
fail2ban replacement for ipv6 ssh
« on: December 19, 2011, 01:14:53 am »
This init script only allows 6 ssh attempts every minute. Works with ipv4 and ipv6

Code: [Select]
#!/bin/sh
### BEGIN INIT INFO
# Provides:          ipwall.sh
# Required-Start:    sshd
# Required-Stop:     sshd
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: ipwall.sh
# Description:       Firewall Script
### END INIT INFO
#
# ipv6wall firewall created by Brenton Taylor
#
#

ip4="/sbin/iptables"
ip6="/sbin/ip6tables"
chain1="SSH_LIMITER"
timeframe="60"
hitcount="6"


start() {
  $ip6 -N $chain1
  $ip6 -A $chain1 -p tcp -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
  $ip6 -A $chain1 -p tcp -m recent --update --seconds $timeframe --hitcount $hitcount --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force: "
  $ip6 -A $chain1 -p tcp -m recent --update --seconds $timeframe --hitcount $hitcount --rttl --name SSH --rsource -j DROP
  $ip6 -A INPUT -p tcp -m tcp --dport 22 -j $chain1

  $ip4 -N $chain1
  $ip4 -A $chain1 -p tcp -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
  $ip4 -A $chain1 -p tcp -m recent --update --seconds $timeframe --hitcount $hitcount --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force: "
  $ip4 -A $chain1 -p tcp -m recent --update --seconds $timeframe --hitcount $hitcount --rttl --name SSH --rsource -j DROP
  $ip4 -A INPUT -p tcp -m tcp --dport 22 -j $chain1
}

stop() {
  $ip6 -D INPUT -p tcp -m tcp --dport 22 -j $chain1
  $ip6 -F $chain1
  $ip6 -X $chain1

  $ip4 -D INPUT -p tcp -m tcp --dport 22 -j $chain1
  $ip4 -F $chain1
  $ip4 -X $chain1
}

restart() {
  stop
  sleep 1
  start
}

show() {
  $ip4 -L -n
  $ip6 -L -n
}

case "$1" in
  start)
    echo -n "Starting firewall script: "
    start
    echo "done"
    ;;
  stop)
    echo -n "Stopping firewall script: "
    stop
    echo "done"
    ;;
  restart)
    echo -n "Restarting firewall script: "
    restart
    echo "done"
    ;;

  show)
    show
    ;;
  *)
    pwd=$(pwd)
    echo "Usage: startup.sh {start|stop|restart|show}"
    ;;
esac
exit 0
Arch-linux, NVIDIA multiseat, SSD, btrfs, GPT.
Linux as main OS since 2007

brenton

  • Administrator
  • Newbie
  • *****
  • Posts: 5
    • View Profile
    • Taylorbyte.com
Re: fail2ban replacement for ipv6 ssh
« Reply #1 on: June 22, 2012, 04:10:23 pm »
test
Arch-linux, NVIDIA multiseat, SSD, btrfs, GPT.
Linux as main OS since 2007