Bug#333350: marked as done (ipt_recent kernel module suffers from jiffies rollover)
Your message dated Wed, 12 Oct 2005 11:12:58 +0900
with message-id <[🔎] 20051012021258.GF31676@verge.net.au>
and subject line Bug#333350: ipt_recent kernel module suffers from jiffies rollover
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Oct 2005 13:46:07 +0000
>From ftpmaint@dante.de Tue Oct 11 06:46:07 2005
Return-path: <ftpmaint@dante.de>
Received: from comedy.dante.de [80.237.210.73]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EPKSE-0007Tz-00; Tue, 11 Oct 2005 06:46:06 -0700
Received: from comedy.dante.de (localhost. [127.0.0.1])
by comedy.dante.de (8.13.4/8.13.4/Debian-3) with ESMTP id j9BDk35B007367
for <submit@bugs.debian.org>; Tue, 11 Oct 2005 15:46:03 +0200
Received: (from ftpmaint@localhost)
by comedy.dante.de (8.13.4/8.13.4/Submit) id j9BDk3Ul007366;
Tue, 11 Oct 2005 15:46:03 +0200
Message-Id: <[🔎] 200510111346.j9BDk3Ul007366@comedy.dante.de>
X-Authentication-Warning: comedy.dante.de: ftpmaint set sender to ftpmaint@dante.de using -f
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: =?iso-8859-15?q?Rainer_Sch=C3=B6pf?= <ftpmaint@dante.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ipt_recent kernel module suffers from jiffies rollover
X-Mailer: reportbug 3.8
Date: Tue, 11 Oct 2005 15:46:03 +0200
X-Debbugs-Cc: rainer.schoepf@proteosys.com
X-DANTE-Spam-Score: -2.399 () ALL_TRUSTED,AWL
X-Scanned-By: MIMEDefang 2.51 on 80.237.210.73
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: kernel-image-2.6.8-2-686-smp
Version: 2.6.8-16
Severity: serious
The ipt_recnet kernel module suffers from a wraparound of the jiffies
counter. The problem is described by the module author on
http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
Since the correrction didn't make it into the official kernel sources,
I would be very grateful if the debian kernels could pick up the change.
For reference:
I use the ipt_recent kernel module to protect against ssh attacks,
with the following rules:
iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j ULOG --ulog-prefix "DROP SSH_brute_force:" --ulog-cprange 64
iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP
After several weeks, ssh logins fail if they come from an IP address not
yet known to the ipt_recent module. Reboot helps.
Rainer Schoepf
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Versions of packages kernel-image-2.6.8-2-686-smp depends on:
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
ii initrd-tools 0.1.81.1 tools to create initrd image for p
ii module-init-tools 3.2-pre1-2 tools for managing Linux kernel mo
-- no debconf information
---------------------------------------
Received: (at 333350-done) by bugs.debian.org; 12 Oct 2005 04:33:51 +0000
>From horms@koto.vergenet.net Tue Oct 11 21:33:51 2005
Return-path: <horms@koto.vergenet.net>
Received: from koto.vergenet.net [210.128.90.7]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EPYJL-0007Rc-00; Tue, 11 Oct 2005 21:33:51 -0700
Received: by koto.vergenet.net (Postfix, from userid 7100)
id BA79834032; Wed, 12 Oct 2005 13:33:18 +0900 (JST)
Date: Wed, 12 Oct 2005 11:12:58 +0900
From: Horms <horms@debian.org>
To: Rainer =?iso-8859-1?Q?Sch=C3=B6pf?= <ftpmaint@dante.de>,
333350-done@bugs.debian.org
Cc: 332231@bugs.debian.org
Subject: Re: Bug#333350: ipt_recent kernel module suffers from jiffies rollover
Message-ID: <[🔎] 20051012021258.GF31676@verge.net.au>
References: <[🔎] 200510111346.j9BDk3Ul007366@comedy.dante.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <[🔎] 200510111346.j9BDk3Ul007366@comedy.dante.de>
X-Cluestick: seven
User-Agent: Mutt/1.5.11
Content-Transfer-Encoding: quoted-printable
Delivered-To: 333350-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
On Tue, Oct 11, 2005 at 03:46:03PM +0200, Rainer Sch=C3=B6pf wrote:
> Package: kernel-image-2.6.8-2-686-smp
> Version: 2.6.8-16
> Severity: serious
>=20
> The ipt_recnet kernel module suffers from a wraparound of the jiffies
> counter. The problem is described by the module author on
>=20
> http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-m=
odule/
>=20
> Since the correrction didn't make it into the official kernel sources,
> I would be very grateful if the debian kernels could pick up the change=
.
Unfortunately the patch didn't make it upstream because it is not correct=
.
This bug (333350) is actually a duplicate of 332231. I am forwarding your
informtion to that bug and closing this one.
Thanks
> For reference:
>=20
> I use the ipt_recent kernel module to protect against ssh attacks,
> with the following rules:
>=20
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m r=
ecent --set --name SSH --rsource
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m r=
ecent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j U=
LOG --ulog-prefix "DROP SSH_brute_force:" --ulog-cprange 64
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m r=
ecent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j D=
ROP
>=20
> After several weeks, ssh logins fail if they come from an IP address no=
t
> yet known to the ipt_recent module. Reboot helps.
>=20
> Rainer Schoepf
--=20
Horms
Reply to: