home

Supported platforms

Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Matching recently seen sources

The recent command helps prevent “brute force” attacks where an external device opens a continuous flow of connections (for example, to the SSH port) in an attempt to break into the system. In these cases, the external source address may be unknown; however, this command enables matching based on the behavior of the external host without initially knowing its IP address.

For example, to create a rule that limits incoming SSH connection attempts from the same host to three within 30 seconds, perform the following steps in configuration mode.

Table 1. Dropping connection attempts from the same source over a specified threshold in a given period
Step Command

Match TCP packets.

vyatta@R1# set security firewall name STOP-BRUTE rule 10 protocol tcp

Match a destination port of 22 (that is, SSH).

vyatta@R1# set security firewall name STOP-BRUTE rule 10 destination port 22

Match connection attempts.

vyatta@R1# set security firewall name STOP-BRUTE rule 10 state new enable

Match the same source address three times in 3 seconds.

vyatta@R1# set security firewall
 name STOP-BRUTE rule 10 recent count 3

Match the same source address three times in 30 seconds.

vyatta@R1# set security firewall name STOP-BRUTE rule 10 recent time 30

Drop packets that match these criteria.

vyatta@R1# set security firewall name STOP-BRUTE rule 10 action drop

Commit the configuration.

vyatta@R1# commit

Show the configuration.

vyatta@R1# show security firewall name STOP-BRUTE

rule 10{
    action drop
    destination {
        port 22
    }
    protocol tcp
    recent {
        count 3
        time 30
    }
    state {
        new enable
    }
}
vyatta@R1#