Hi folks, I am now using recent match to block ssh brute-force attack like ### ssh brute-force attack rule $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 ' $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack --set $IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 ' $IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset It works very well for me. Then I found that, the internal table at /proc/net/ipt_recent/sshattack has a max limit of 100 entries, after the max number of entry has been reached, no more new entry can be added so the above will have no effect. Any knows how to 'enlarge' the limit of the table? or what should be done to cycle/purge old entries so new hit entries can be added. Thanks in advance Joshua
