[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables not behaving the way I expected

Jim Hyslop <jhyslop@dreampossible.ca> writes:

> Hello, all
>
> I've set my SSH to accept only public key authorization, and forwarded
> port 22 from the Big Bad Internet to my Debian box. Predictably, I'm
> being hit by a lot of dictionary attempts to log in. A while back,
> someone posted a link in this list to a blog that gave an Iptables
> recipe to limit connections to 5 per minute per IP address. So, I issued
> the commands:
>
> iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
>     -m recent --set --name SSH
>
> iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
>     -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH \
>     -j DROP
>
> but that didn't throttle back the attempts. I tried '-i eth0' instead of
> ethLRZ, but no effect.

You want to do update before you do set.
-m recent --set will log the ip address to the list whether it is in the
list or not, so that rule will always match.
You never get to the second rule, which say that only update if the ip
address is already in the list.

-- 
John L. Fjellstad
web: http://www.fjellstad.org/          Quis custodiet ipsos custodes
Reply to: