[please CC me as I am not subscribed]
Hi,
I am somewhat baffled by a problem with a bunch of my machines.
I use the following rules there to limit SSH brute force attacks:
-A INPUT -p tcp -m tcp --dport 22 -j ssh-tarpit
-A ssh-tarpit -m recent --name ssh_tarpit --set --rsource -j ssh-whitelist
-A ssh-tarpit -m recent ! --update --seconds 60 --hitcount 8 --name ssh_tarpit -
-A ssh-tarpit -j LOG --log-prefix "[SSH flood] "
-A ssh-tarpit -p tcp -j TARPIT
-A ssh-tarpit -j DROP
-A ssh-whitelist -s 1.2.3.0/24 -j ACCEPT
This used to work, and I still have a machine or two where it works
just as I want it: 8 connections per minute, if exceeded, you have
to wait for a full minute before trying again (update instead of
rcheck).
The problem now is that I cannot log in from anywhere anymore,
except for the whitelisted hosts. If I check the kernel output on
the machine, I see the SSH flood log entries generated by the LOG
line even for the first connection attempt.
I tried to
echo clear > /proc/net/ipt_recent/ssh_tarpit
but the result is the same: even with an empty recent packets list,
packets from non-whitelisted hosts are dropped by the SSH flood
rules.
The same ruleset works fine on another machine.
If I run tcpdump filtered to port 22, I don't see any stray packets
that could be interfering. In fact, logged in via a whitelisted
machine (.73), I can see this behaviour:
gaia:~# tcpdump -n port 22 and not host 130.60.75.73 &
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
gaia:~# tail -fn0 /var/log/kern.log &
gaia:~# echo clear > /proc/net/ipt_recent/ssh_tarpit
gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit
0 /proc/net/ipt_recent/ssh_tarpit
[now try to connect from a non-whitelisted machine]
13:59:17.401234 IP 84.72.27.34.33657 > 130.60.75.60.22:
S 1510041102:1510041102(0) win 5840 <mss 1460,sackOK,timestamp
350551978 0,nop,wscale 2>
Mar 8 13:59:17 gaia kernel: [SSH flood] IN=eth0 OUT=
MAC=00:0b:6a:f0:fd:6b:00:05:5e:46:0e:ff:08:00
SRC=84.72.27.34 DST=130.60.75.60 LEN=60 TOS=0x00
PREC=0x00 TTL=56 ID=39332 DF PROTO=TCP SPT=33657
DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit
1 /proc/net/ipt_recent/ssh_tarpit
gaia:~# cat /proc/net/ipt_recent/ssh_tarpit
src=84.72.27.34 ttl: 56 last_seen: 3341207100 oldest_pkt: 1 last_pkts: 3341207100
What could be the reason for this behaviour, which I claim to be
completely unexpected? ipt_recent knows about a single packet from
that source, but it acts as if eight packets had come in within the
last 60 seconds.
Any help appreciated.
[please CC me as I am not subscribed]
Thanks,
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
invalid/expired pgp (sub)keys? use subkeys.pgp.net as keyserver!
spamtraps: madduck.bogus@xxxxxxxxxxx
"'oh, that was easy,' says Man, and for an encore goes on to prove
that black is white and gets himself killed on the next zebra
crossing."
-- douglas adams, "the hitchhiker's guide to the galaxy"
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)
