From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: max size of ipt_recent match
Date: Fri, 04 Nov 2005 11:03:05 +0100 [thread overview]
Message-ID: <436B31D9.8080504@mnemon.de> (raw)
In-Reply-To: <436B214C.40205@asiaa.sinica.edu.tw>
Joshua, C.S. Chen schrieb:
> Hi folks,
> I am now using recent match to block ssh brute-force attack like
>
>
>
> ### ssh brute-force attack rule
> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset
>
>
>
>
>
>
> $IPTABLES -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack
> --set
>
>
> $IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
> $IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset
>
>
> It works very well for me.
> Then I found that, the internal table at /proc/net/ipt_recent/sshattack
> has a max limit of 100 entries, after the max number of entry has been
> reached, no more new entry can be added so the above will have no effect.
>
> Any knows how to 'enlarge' the limit of the table? or what should be
> done to cycle/purge old entries so new hit entries can be added.
man iptables
recent
[SNIP]
The module itself accepts parameters, defaults shown:
ip_list_tot=100
Number of addresses remembered per table
ip_pkt_list_tot=20
Number of packets per address remembered
ip_list_hash_size=0
Hash table size. 0 means to calculate it
based on ip_list_tot, default: 512
ip_list_perms=0644
Permissions for /proc/net/ipt_recent/* files
debug=0
Set to 1 to get lots of debugging info
Some time ago there was a posting, that this doesn't work. So
alternatively, you can modify the source code and edit the respective
var (<Path/to/kernel_source>/net/ipv4/netfilter/ipt_recent.c => static
int ip_list_tot=100).
Have a nice time,
Joerg
prev parent reply other threads:[~2005-11-04 10:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-04 8:52 max size of ipt_recent match Joshua, C.S. Chen
2005-11-04 10:03 ` Jörg Harmuth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=436B31D9.8080504@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.