[I sent this message to the netfilter list two days ago and have not received a reply yet. https://lists.netfilter.org/pipermail/netfilter/2006-March/065082.html ] Hi, I am somewhat baffled by a problem with a bunch of my machines. I use the following rules there to limit SSH brute force attacks: -A INPUT -p tcp -m tcp --dport 22 -j ssh-tarpit -A ssh-tarpit -m recent --name ssh_tarpit --set --rsource -j ssh-whitelist -A ssh-tarpit -m recent ! --update --seconds 60 --hitcount 8 --name ssh_tarpit - -A ssh-tarpit -j LOG --log-prefix "[SSH flood] " -A ssh-tarpit -p tcp -j TARPIT -A ssh-tarpit -j DROP -A ssh-whitelist -s 220.127.116.11/24 -j ACCEPT This used to work, and I still have a machine or two where it works just as I want it: 8 connections per minute, if exceeded, you have to wait for a full minute before trying again (update instead of rcheck). The problem now is that I cannot log in from anywhere anymore, except for the whitelisted hosts. If I check the kernel output on the machine, I see the SSH flood log entries generated by the LOG line even for the first connection attempt. I tried to echo clear > /proc/net/ipt_recent/ssh_tarpit but the result is the same: even with an empty recent packets list, packets from non-whitelisted hosts are dropped by the SSH flood rules. The same ruleset works fine on another machine. If I run tcpdump filtered to port 22, I don't see any stray packets that could be interfering. In fact, logged in via a whitelisted machine (.73), I can see this behaviour: gaia:~# tcpdump -n port 22 and not host 18.104.22.168 & tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes gaia:~# tail -fn0 /var/log/kern.log & gaia:~# echo clear > /proc/net/ipt_recent/ssh_tarpit gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit 0 /proc/net/ipt_recent/ssh_tarpit [now try to connect from a non-whitelisted machine] 13:59:17.401234 IP 22.214.171.124.33657 > 126.96.36.199.22: S 1510041102:1510041102(0) win 5840 <mss 1460,sackOK,timestamp 350551978 0,nop,wscale 2> Mar 8 13:59:17 gaia kernel: [SSH flood] IN=eth0 OUT= MAC=00:0b:6a:f0:fd:6b:00:05:5e:46:0e:ff:08:00 SRC=188.8.131.52 DST=184.108.40.206 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=39332 DF PROTO=TCP SPT=33657 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit 1 /proc/net/ipt_recent/ssh_tarpit gaia:~# cat /proc/net/ipt_recent/ssh_tarpit src=220.127.116.11 ttl: 56 last_seen: 3341207100 oldest_pkt: 1 last_pkts: 3341207100 What could be the reason for this behaviour, which I claim to be completely unexpected? ipt_recent knows about a single packet from that source, but it acts as if eight packets had come in within the last 60 seconds. Any help appreciated. Thanks, -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck invalid/expired pgp (sub)keys? use subkeys.pgp.net as keyserver! spamtraps: email@example.com "'oh, that was easy,' says Man, and for an encore goes on to prove that black is white and gets himself killed on the next zebra crossing." -- douglas adams, "the hitchhiker's guide to the galaxy"
Description: Digital signature (GPG/PGP)