Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

limit established ssh connections with iptables

Status
Not open for further replies.
hfaix

hfaix

MIS
Nov 25, 2003
596
0
0
US
Hello -

I'm trying to limit the number of "ESTABLISHED" ssh connections from a specific ip address with iptables. For example. I'm trying to say ip x.x.x.x can have up to 10 established connections to my sftp-server (openssh). Here is the command I've been using.

root@server:/proc> iptables -I INPUT -p tcp -s x.x.x.x --dport 22 -i bond0 -m state --state ESTABLISHED -m recent --hitcount 10 --set

(1) I don't know if this is correct and
(2) if it is correct, I get a ambiguous/non-standard error.

Here is the error I get.
iptables: Unknown error 18446744073709551615


Can you help? I've read that sometimes this is a bug, but I'm at the latest iptables level.


 
Sort by date Sort by votes
First of all have a look at the sshd daemon config file as I think there could be a switch in the configuration file to limit number of concurrrent connections from host or user.
Coming to iptables now, by limiting the number of ESTABLISHED connections you will not prevent the same address from connecting to port 22 again and again. Probably you need to count the NEW connections. Try something like

Code: 
iptables -I INPUT -p tcp --dport 22 -i bond0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i bond0 -m state --state NEW -m recent --update --hitcount 10 -j DROP
Before trying the script make sure that ip_conntrack module is loaded

lsmod | grep ip_conntrack


QatQat




If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
Thank you! I appreciate your help.

The iptables command worked successfully. That's enough to get me rolling. I actually think I want ESTABLISHED, because my problem is a vendor that connects every 30 seconds, but unfortunately the sessions don't always get closed.....therefore yesterday they had 3000 established connections at one time (almost crashing the server due to lack of ram).

I'm going to look at the ssh config again too, I couldn't find what I was looking for yesterday, but maybe I missed it.

Thanks again.
 
Upvote 0 Downvote
OK, then your solution is definitely in /etc/sshd/sshd.conf

Set the ClientAliveCountMax parameter to something (5, 10). SShd will try to notify the user of an open (but sleeping) session, after the specified number of times is reached the connection will be terminated.

the ClientAliveInterval option will let you decide how soon you want SSHD to check for sleeping sessions.




QaTQat


If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
Apologies, the config file is obvioulsy sshd_config and not sshd.conf

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ComputersUnlimited
  • Locked
  • Question
Logging into SSH with PKI 1
Replies
2
Views
100
ComputersUnlimited
ComputersUnlimited
jimktrains
  • Locked
  • Question
RHEL 7 limit user logins
Replies
0
Views
81
jimktrains
jimktrains
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
70
harro1968
harro1968
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
109
CecilXavier
CecilXavier
ComputersUnlimited
  • Locked
  • Question
Cannot login into Ubuntu via SSH 1
Replies
4
Views
130
ComputersUnlimited
ComputersUnlimited

Part and Inventory Search

Sponsor

Back
Top