Thank you for your answer Grant. 22 ÐÐÐ 2005 02:37 Taylor, Grant wrote: > > Why this update here (see below)? > > > > $ipt -A SSH_Brute_Force -m recent --name SSH --update > > > > Every time packet passed --set rule it updates SSH. So if drop this rule, > > nothing changes. Or am I wrong? Is there any idea behind this that I > > missed. > > The "--set" rule is required because the testing that I did the "--update" > rule would not effectively do the same thing as "--set" because there was > no initial "--set" to be updated. It's sort of a chicken and egg problem > where you can not successfully have one with out having the other in this > scenario. The only draw back to having the "--set" that I'm aware of is > that the hit count is incremented once per "--set" and "--update" thus you > have to double the "--hitcount" value that you want to match against. I feel myself stupid. I'll try to explain my question again, so if you have some time to pay me attention, may be you can help me. Any way thank you for your time. I'd like to comment already posted on the list scenario step by step to make my question a bit clearer. Here we create chain and put all ssh syn trafic there: 1. $ipt -N SSH_Brute_Force 2. $ipt -A INPUT -p tcp --dport 22 -m state --state NEW -s ! $MyIP -j SSH_Brute_Force Now in our SSH_Brute_Force chain we need to add source address in list with --set command: 3. $ipt -A SSH_Brute_Force -m recent --set --name SSH The rule above also updates last seen time. So now we can --rcheck list to see how many matches were there (--hitcount ) in the last --seconds. 4. $ipt -A SSH_Brute_Force -m recent ! --rcheck --name SSH --seconds 60 --hitcount 3 -j RETURN As we have negative (!) in the previous rule, so we are comming here. My question is. As we already updated list of matches in 3. why we need to --update list again? Did I missed something? May be there are some unknow to me problems people experince without next rule: 5. $ipt -A SSH_Brute_Force -m recent --name SSH --update And of course we drop all unwanted packets... 6. $ipt -A SSH_Brute_Force -j DROP I'm sorry for boring details. I just want to check that I did not missed anything. I've check that rules above are working without 5. But I saw two scripts here with this rule. Why you are using it? -- Peter.
