Joshua, C.S. Chen schrieb:
> Hi folks,
> I am now using recent match to block ssh brute-force attack like
>
>
>
> ### ssh brute-force attack rule
> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset
>
>
>
>
>
>
> $IPTABLES -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack
> --set
>
>
> $IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
> $IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset
>
>
> It works very well for me.
> Then I found that, the internal table at /proc/net/ipt_recent/sshattack
> has a max limit of 100 entries, after the max number of entry has been
> reached, no more new entry can be added so the above will have no effect.
>
> Any knows how to 'enlarge' the limit of the table? or what should be
> done to cycle/purge old entries so new hit entries can be added.
man iptables
recent
[SNIP]
The module itself accepts parameters, defaults shown:
ip_list_tot=100
Number of addresses remembered per table
ip_pkt_list_tot=20
Number of packets per address remembered
ip_list_hash_size=0
Hash table size. 0 means to calculate it
based on ip_list_tot, default: 512
ip_list_perms=0644
Permissions for /proc/net/ipt_recent/* files
debug=0
Set to 1 to get lots of debugging info
Some time ago there was a posting, that this doesn't work. So
alternatively, you can modify the source code and edit the respective
var (<Path/to/kernel_source>/net/ipv4/netfilter/ipt_recent.c => static
int ip_list_tot=100).
Have a nice time,
Joerg
