| View previous topic :: View next topic |
| Author |
Message |
DrSpirograph
n00b
Joined: 05 Apr 2003
Posts: 69
|
 Posted: Sun Jul 17, 2005 4:15 am Post subject: iptables -m recent --hitcount always matches? |
 |
|
I've been trying to setup some rules with iptables -m recent to limit brute force attempts on my ssh server. I wanted to use -m recent --hitcount 3 --seconds 60 to limit each host to 3 connections a minute.
However, the rule *always* matches, so no connections are getting in.
I entered the following to try and debug the rule and it seems to me like --hitcount is having no effect:
| Code: | iptables -A ssh_check -p tcp -m conntrack \
--ctstate NEW,INVALID -m recent --name sshattack --set
iptables -A ssh_check -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 \
-j LOG --log-prefix SSH_attack_TEST:
iptables -A INPUT -p tcp --dport 22 -j ssh_check
|
With this setup, every single connection attempt results in a log message, even though:
| Code: | # cat /proc/net/ipt_recent/sshattack
src=10.0.0.1 ttl: 64 last_seen: 2885161102 oldest_pkt: 1 last_pkts: 2885161102 |
which states there's only 1 packet matched so far!
What's going on. Have I screwed up the rule somehow, or is -m recent broken?
I'm using
sys-kernel/vanilla-sources-2.6.11.2
net-firewall/iptables-1.2.11-r3 |
|
| Back to top |
|
 |
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
|
| Back to top |
|
|
r1chardgreen
n00b
Joined: 10 Feb 2003
Posts: 43
|
| Posted: Mon Jul 18, 2005 3:54 am Post subject: Re: iptables -m recent --hitcount always matches? |
|
|
| DrSpirograph wrote: |
... or is -m recent broken?
I'm using
sys-kernel/vanilla-sources-2.6.11.2
net-firewall/iptables-1.2.11-r3 |
Did you compile as a module or built into main kernel? I couldn't load the module for -m recent, despite having my kernel, gentoo-sources 2.6.9-r9 having having
CONFIG_IP_NF_MATCH_RECENT=m
iptables v1.2.11: Couldn't load match `recent':/lib/iptables/libipt_recent.so: cannot open shared object file: No such file or directory
Running a pre-compiled kernel on a debian box elsewhere I was able to to successfully...
iptables -I INPUT 7 -d $IFACE_IP -p tcp --dport 22 -m state --state NEW -m recent --rcheck --hitcount 3 --seconds 600 -j DROP
iptables -I INPUT 9 -d $IFACE_IP -p tcp --dport 22 -m state --state NEW -m recent --set
-richard |
|
| Back to top |
|
|
DrSpirograph
n00b
Joined: 05 Apr 2003
Posts: 69
|
| Posted: Sun Jul 24, 2005 11:44 pm Post subject: |
|
|
| Quote: | Did you compile as a module or built into main kernel? I couldn't load the module for -m recent, despite having my kernel, gentoo-sources 2.6.9-r9 having having
CONFIG_IP_NF_MATCH_RECENT=m |
It's built into my kernel:
| Code: | | CONFIG_IP_NF_MATCH_RECENT=y |
|
|
| Back to top |
|
|
|
Networking & Security
