Re: problem with recent match

To: debian-firewall@lists.debian.org
Cc: debian firewall list <debian-firewall@lists.debian.org>
Subject: Re: problem with recent match
From: Koen <koen@superlul.com>
Date: Fri, 10 Mar 2006 14:43:12 +0100
Message-id: <[🔎] 44118270.6050301@superlul.com>
In-reply-to: <[🔎] 20060310120750.GA12852@lapse.madduck.net>
References: <[🔎] 20060310120750.GA12852@lapse.madduck.net>

Hi Martin,

I have the same problem, out of the blue customers (i also use this forFTP) get dropped on 1 hit while they should only get dropped at the 10thhit.

It worked perfect for a couple of weeks...

For now i have increased the --hitcount from 10 to 11 and it works fineagain?Also when i activate the firewall i have to wait like a minute or sobefore i can connect...

Thanks,

Koen

martin f krafft wrote:

[I sent this message to the netfilter list two days ago and have not
received a reply yet.

  https://lists.netfilter.org/pipermail/netfilter/2006-March/065082.html
]

Hi,

I am somewhat baffled by a problem with a bunch of my machines.
I use the following rules there to limit SSH brute force attacks:

  -A INPUT -p tcp -m tcp --dport 22 -j ssh-tarpit
  -A ssh-tarpit -m recent --name ssh_tarpit --set --rsource -j ssh-whitelist
  -A ssh-tarpit -m recent ! --update --seconds 60 --hitcount 8 --name ssh_tarpit -
  -A ssh-tarpit -j LOG --log-prefix "[SSH flood] "
  -A ssh-tarpit -p tcp -j TARPIT
  -A ssh-tarpit -j DROP
  -A ssh-whitelist -s 1.2.3.0/24 -j ACCEPT

This used to work, and I still have a machine or two where it works
just as I want it: 8 connections per minute, if exceeded, you have
to wait for a full minute before trying again (update instead of
rcheck).

The problem now is that I cannot log in from anywhere anymore,
except for the whitelisted hosts. If I check the kernel output on
the machine, I see the SSH flood log entries generated by the LOG
line even for the first connection attempt.

I tried to

  echo clear > /proc/net/ipt_recent/ssh_tarpit

but the result is the same: even with an empty recent packets list,
packets from non-whitelisted hosts are dropped by the SSH flood
rules.

The same ruleset works fine on another machine.

If I run tcpdump filtered to port 22, I don't see any stray packets
that could be interfering. In fact, logged in via a whitelisted
machine (.73), I can see this behaviour:

  gaia:~# tcpdump -n port 22 and not host 130.60.75.73 &
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

  gaia:~# tail -fn0 /var/log/kern.log &

  gaia:~# echo clear > /proc/net/ipt_recent/ssh_tarpit

  gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit
  0 /proc/net/ipt_recent/ssh_tarpit

  [now try to connect from a non-whitelisted machine]

  13:59:17.401234 IP 84.72.27.34.33657 > 130.60.75.60.22:
    S 1510041102:1510041102(0) win 5840 <mss 1460,sackOK,timestamp
    350551978 0,nop,wscale 2>
  Mar  8 13:59:17 gaia kernel: [SSH flood] IN=eth0 OUT=
    MAC=00:0b:6a:f0:fd:6b:00:05:5e:46:0e:ff:08:00
    SRC=84.72.27.34 DST=130.60.75.60 LEN=60 TOS=0x00
    PREC=0x00 TTL=56 ID=39332 DF PROTO=TCP SPT=33657

DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

  gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit
  1 /proc/net/ipt_recent/ssh_tarpit
  gaia:~# cat /proc/net/ipt_recent/ssh_tarpit
  src=84.72.27.34 ttl: 56 last_seen: 3341207100 oldest_pkt: 1 last_pkts: 3341207100

What could be the reason for this behaviour, which I claim to be
completely unexpected? ipt_recent knows about a single packet from
that source, but it acts as if eight packets had come in within the
last 60 seconds.

Any help appreciated.

Thanks,

Reply to:

References:
- problem with recent match
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: problem with recent match
Next by Date: Re: problem with recent match
Previous by thread: Re: problem with recent match
Next by thread: [Fwd: Blogger post failed]
Index(es):
- Date
- Thread