On Sunday, May 22, 2005 12:37 AM, Taylor, Grant wrote:
Why this update here (see below)?
$ipt -A SSH_Brute_Force -m recent --name SSH --update
Every time packet passed --set rule it updates SSH. So if drop this rule, nothing changes. Or am I wrong? Is there any idea behind this that I missed.
The "--set" rule is required because the testing that I did the "--update" rule would not effectively do the same thing as "--set" because there was no initial "--set" to be updated. It's sort of a chicken and egg problem where you can not successfully have one with out having the other in this scenario. The only draw back to having the "--set" that I'm aware of is that the hit count is incremented once per "--set" and "--update" thus you have to double the "--hitcount" value that you want to match against.
I might be misunderstanding something, but, Peter, is it correct that you wanted the "--update" rule to be removed?
In that case I also think it can be safely removed, for it also usually even does not seem to match anyway. It should rather match only when there are already too frequent connections, so "-j RETURN" won't hit, right? But i'd rather like to also hear the opinion of somebody more experienced with "recent" match than I am, for the helpfile did not say if the "--set" is updated if it already exists. (Though I expect that, and I admit it could be easily tested if "--set" updates an already existing "--set" or not, but I have to leave right now. I think I'll examine that when I'm back if nobody is faster ;-) )
Greetings,
Marius
