2w ago

nftables - progressive rate limiting

I'd like to progressively rate limit ssh connections by 3 per minute, 12 an hour and 24 a day.

I have these rules that don't seem to be working:

    
tcp dport 22 ct state new limit rate over 24/day drop comment "24+ a day"
tcp dport 22 ct state new limit rate over 12/hour drop comment "12+ an hour"
tcp dport 22 ct state new limit rate over 3/minute drop comment "3+ a minute"
tcp dport 22 ct state new limit rate 3/minute accept comment "Good SSH"

I'm still stuck in debian 10.13, stock kernel 4.19.316-1 (2024-06-25) and nftables v0.9.0 (Fearless Fosdick).

sets are not yet available, as far as I know.

3 comments

Why don't you just use fail2ban?
- I try to minimize as much as possible what I have to install... I'm sure fail2ban would do what I want, but then I wouldn't have learned anything.
  
  You could learn about how fail2ban works, and in the process decide if it's the right implementation for your use case, or maybe get some ideas for your implementation from the research.