Matching recently seen sources

The recent command helps prevent “brute force” attacks where an external device opens a continuous flow of connections (for example, to the SSH port) in an attempt to break into the system. In these cases, the external source address may be unknown; however, this command enables matching based on the behavior of the external host without initially knowing its IP address.

For example, to create a rule that limits incoming SSH connection attempts from the same host to three within 30 seconds, perform the following steps in configuration mode.

Table 1. Dropping connection attempts from the same source over a specified threshold in a given period
Step	Command
Match TCP packets.	`vyatta@R1# set security firewall name STOP-BRUTE rule 10 protocol tcp`
Match a destination port of 22 (that is, SSH).	`vyatta@R1# set security firewall name STOP-BRUTE rule 10 destination port 22`
Match connection attempts.	`vyatta@R1# set security firewall name STOP-BRUTE rule 10 state new enable`
Match the same source address three times in 3 seconds.	`vyatta@R1# set security firewall name STOP-BRUTE rule 10 recent count 3`
Match the same source address three times in 30 seconds.	`vyatta@R1# set security firewall name STOP-BRUTE rule 10 recent time 30`
Drop packets that match these criteria.	`vyatta@R1# set security firewall name STOP-BRUTE rule 10 action drop`
Commit the configuration.	`vyatta@R1# commit`
Show the configuration.	`vyatta@R1# show security firewall name STOP-BRUTE rule 10{ action drop destination { port 22 } protocol tcp recent { count 3 time 30 } state { new enable } } vyatta@R1#`

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Matching recently seen sources

Helpful Links

Key Resources