Hi Martin,
I have the same problem, out of the blue customers (i also use this for
FTP) get dropped on 1 hit while they should only get dropped at the 10th
hit.
It worked perfect for a couple of weeks...
For now i have increased the --hitcount from 10 to 11 and it works fine
again?
Also when i activate the firewall i have to wait like a minute or so
before i can connect...
Thanks,
Koen
martin f krafft wrote:
[I sent this message to the netfilter list two days ago and have not
received a reply yet.
https://lists.netfilter.org/pipermail/netfilter/2006-March/065082.html
]
Hi,
I am somewhat baffled by a problem with a bunch of my machines.
I use the following rules there to limit SSH brute force attacks:
-A INPUT -p tcp -m tcp --dport 22 -j ssh-tarpit
-A ssh-tarpit -m recent --name ssh_tarpit --set --rsource -j ssh-whitelist
-A ssh-tarpit -m recent ! --update --seconds 60 --hitcount 8 --name
ssh_tarpit -
-A ssh-tarpit -j LOG --log-prefix "[SSH flood] "
-A ssh-tarpit -p tcp -j TARPIT
-A ssh-tarpit -j DROP
-A ssh-whitelist -s 1.2.3.0/24 -j ACCEPT
This used to work, and I still have a machine or two where it works
just as I want it: 8 connections per minute, if exceeded, you have
to wait for a full minute before trying again (update instead of
rcheck).
The problem now is that I cannot log in from anywhere anymore,
except for the whitelisted hosts. If I check the kernel output on
the machine, I see the SSH flood log entries generated by the LOG
line even for the first connection attempt.
I tried to
echo clear > /proc/net/ipt_recent/ssh_tarpit
but the result is the same: even with an empty recent packets list,
packets from non-whitelisted hosts are dropped by the SSH flood
rules.
The same ruleset works fine on another machine.
If I run tcpdump filtered to port 22, I don't see any stray packets
that could be interfering. In fact, logged in via a whitelisted
machine (.73), I can see this behaviour:
gaia:~# tcpdump -n port 22 and not host 130.60.75.73 &
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
gaia:~# tail -fn0 /var/log/kern.log &
gaia:~# echo clear > /proc/net/ipt_recent/ssh_tarpit
gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit
0 /proc/net/ipt_recent/ssh_tarpit
[now try to connect from a non-whitelisted machine]
13:59:17.401234 IP 84.72.27.34.33657 > 130.60.75.60.22:
S 1510041102:1510041102(0) win 5840 <mss 1460,sackOK,timestamp
350551978 0,nop,wscale 2>
Mar 8 13:59:17 gaia kernel: [SSH flood] IN=eth0 OUT=
MAC=00:0b:6a:f0:fd:6b:00:05:5e:46:0e:ff:08:00
SRC=84.72.27.34 DST=130.60.75.60 LEN=60 TOS=0x00
PREC=0x00 TTL=56 ID=39332 DF PROTO=TCP SPT=33657
DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit
1 /proc/net/ipt_recent/ssh_tarpit
gaia:~# cat /proc/net/ipt_recent/ssh_tarpit
src=84.72.27.34 ttl: 56 last_seen: 3341207100 oldest_pkt: 1 last_pkts:
3341207100
What could be the reason for this behaviour, which I claim to be
completely unexpected? ipt_recent knows about a single packet from
that source, but it acts as if eight packets had come in within the
last 60 seconds.
Any help appreciated.
Thanks,
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]