Matching recently seen sources
The recent command helps prevent “brute force” attacks where an external device opens a continuous flow of connections (for example, to the SSH port) in an attempt to break into the system. In these cases, the external source address may be unknown; however, this command enables matching based on the behavior of the external host without initially knowing its IP address.
For example, to create a rule that limits incoming SSH connection attempts from the same host to three within 30 seconds, perform the following steps in configuration mode.
Step | Command |
---|---|
Match TCP packets. |
|
Match a destination port of 22 (that is, SSH). |
|
Match connection attempts. |
|
Match the same source address three times in 3 seconds. |
|
Match the same source address three times in 30 seconds. |
|
Drop packets that match these criteria. |
|
Commit the configuration. |
|
Show the configuration. |
|