Re: recent module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for your answer.
Does not make any sense to me since rules drop packets .. I am puzzled ..
The DROP rule takes effect only of the IP address is in the list, but in fact it is the other rule to put those IPs in the list therefore it cannot be the first packets.
Another question pops up in my mind, what is the difference between state and conntrack ? 


Chain INPUT (policy ACCEPT 44517 packets, 5130K bytes)
pkts bytes target prot opt in out source 
destination
240 12948 LOG tcp -- * * 0.0.0.0/0 
0.0.0.0/0            state NEW tcp dpt:22 LOG flags 0 level 4
106 5684 DROP tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 1800 hit_count: 5 name: ssh-defensive side: source
134 7264 tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: ssh-defensive side: source
You're matching state NEW, which (if I'm not mistaken) only matches
the initial SYN packet of a transaction. Everything after that is ESTABLISHED or RELATED. 


On 30 October 2014 23:35, Pietro Paolini <pulsarpietro@xxxxxxx> wrote:

Hi all,



I am trying to use the recent module to stop the slate of attacks I get
everyday, but I am not sure my understanding of its logic it is correct.



-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m 
recent --update --seconds 1800 --hitcount 5 --name ssh-defensive
--rsource -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --set --name ssh-defensive --rsource



I am testing this solution - which works as intended - but the packet
counters do not make  sense to me, during my test

I start the ssh client, I get the prompt asking for the password and I
immediately check the iptables counters:



Chain INPUT (policy ACCEPT 81 packets, 8996 bytes)

 pkts bytes target     prot opt in     out     source               
destination

    1    52 LOG        tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            state NEW tcp dpt:22 LOG flags 0 level 4

    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:22 state NEW recent: UPDATE seconds: 1800
hit_count: 5 name: ssh-defensive side: source

    1    52            tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:22 state NEW recent: SET name:
ssh-defensive side: source





I expected to see more packets, what about the TCP handshake ?



Thanks in advance,

Pietro







"And therefore never send to know for whom the bell tolls"

pulsarpietro@xxxxxxx






--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






--

Luke Pascoe



E luke@xxxxxxxxxx
P +64 (9) 296 2961
M +64 (27) 426 6649
W www.osnz.co.nz

24 Wellington St
Papakura
Auckland, 2110
New Zealand


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux