Hi all, I am trying to use the recent module to stop the slate of attacks I get everyday, but I am not sure my understanding of its logic it is correct. -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 1800 --hitcount 5 --name ssh-defensive --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh-defensive --rsource I am testing this solution - which works as intended - but the packet counters do not make sense to me, during my test I start the ssh client, I get the prompt asking for the password and I immediately check the iptables counters: Chain INPUT (policy ACCEPT 81 packets, 8996 bytes) pkts bytes target prot opt in out source destination 1 52 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 LOG flags 0 level 4 0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 1800 hit_count: 5 name: ssh-defensive side: source 1 52 tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: ssh-defensive side: source I expected to see more packets, what about the TCP handshake ? Thanks in advance, Pietro -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html