Bug#332231: Bug#333350: ipt_recent kernel module suffers from jiffies rollover
On Tue, Oct 11, 2005 at 03:46:03PM +0200, Rainer Schöpf wrote:
> Package: kernel-image-2.6.8-2-686-smp
> Version: 2.6.8-16
> Severity: serious
>
> The ipt_recnet kernel module suffers from a wraparound of the jiffies
> counter. The problem is described by the module author on
>
> http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
>
> Since the correrction didn't make it into the official kernel sources,
> I would be very grateful if the debian kernels could pick up the change.
Unfortunately the patch didn't make it upstream because it is not correct.
This bug (333350) is actually a duplicate of 332231. I am forwarding your
informtion to that bug and closing this one.
Thanks
> For reference:
>
> I use the ipt_recent kernel module to protect against ssh attacks,
> with the following rules:
>
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j ULOG --ulog-prefix "DROP SSH_brute_force:" --ulog-cprange 64
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP
>
> After several weeks, ssh logins fail if they come from an IP address not
> yet known to the ipt_recent module. Reboot helps.
>
> Rainer Schoepf
--
Horms
Reply to: