[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

problem with recent match

[I sent this message to the netfilter list two days ago and have not
received a reply yet.



I am somewhat baffled by a problem with a bunch of my machines.
I use the following rules there to limit SSH brute force attacks:

  -A INPUT -p tcp -m tcp --dport 22 -j ssh-tarpit
  -A ssh-tarpit -m recent --name ssh_tarpit --set --rsource -j ssh-whitelist
  -A ssh-tarpit -m recent ! --update --seconds 60 --hitcount 8 --name ssh_tarpit -
  -A ssh-tarpit -j LOG --log-prefix "[SSH flood] "
  -A ssh-tarpit -p tcp -j TARPIT
  -A ssh-tarpit -j DROP
  -A ssh-whitelist -s -j ACCEPT

This used to work, and I still have a machine or two where it works
just as I want it: 8 connections per minute, if exceeded, you have
to wait for a full minute before trying again (update instead of

The problem now is that I cannot log in from anywhere anymore,
except for the whitelisted hosts. If I check the kernel output on
the machine, I see the SSH flood log entries generated by the LOG
line even for the first connection attempt.

I tried to

  echo clear > /proc/net/ipt_recent/ssh_tarpit

but the result is the same: even with an empty recent packets list,
packets from non-whitelisted hosts are dropped by the SSH flood

The same ruleset works fine on another machine.

If I run tcpdump filtered to port 22, I don't see any stray packets
that could be interfering. In fact, logged in via a whitelisted
machine (.73), I can see this behaviour:

  gaia:~# tcpdump -n port 22 and not host &
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

  gaia:~# tail -fn0 /var/log/kern.log &

  gaia:~# echo clear > /proc/net/ipt_recent/ssh_tarpit

  gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit
  0 /proc/net/ipt_recent/ssh_tarpit

  [now try to connect from a non-whitelisted machine]

  13:59:17.401234 IP >
    S 1510041102:1510041102(0) win 5840 <mss 1460,sackOK,timestamp
    350551978 0,nop,wscale 2>
  Mar  8 13:59:17 gaia kernel: [SSH flood] IN=eth0 OUT=
    SRC= DST= LEN=60 TOS=0x00
    PREC=0x00 TTL=56 ID=39332 DF PROTO=TCP SPT=33657
    DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 

  gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit
  1 /proc/net/ipt_recent/ssh_tarpit
  gaia:~# cat /proc/net/ipt_recent/ssh_tarpit
  src= ttl: 56 last_seen: 3341207100 oldest_pkt: 1 last_pkts: 3341207100

What could be the reason for this behaviour, which I claim to be
completely unexpected? ipt_recent knows about a single packet from
that source, but it acts as if eight packets had come in within the
last 60 seconds.

Any help appreciated.


martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
invalid/expired pgp (sub)keys? use subkeys.pgp.net as keyserver!
spamtraps: madduck.bogus@madduck.net
"'oh, that was easy,' says Man, and for an encore goes on to prove
 that black is white and gets himself killed on the next zebra
            -- douglas adams, "the hitchhiker's guide to the galaxy"

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: