--match recent

--match recent

[olivierk]

Hello, List!

I am trying to use the 'recent' module on an otherwise working
installation.

(trying to prevent lots of logs from brute force ssh attancks)

I am doing this:

$IPT --table filter --append FORWARD \
    --destination $DMZ \
    --in-interface $EXT_PPP_IF \
    --out-interface $DMZ_IF \
    --protocol tcp \
    --destination-port $SSH_PORT \
    --match recent \
      --name sbfa \
      --rcheck \
      --hitcount 5 \
      --seconds 60 \
    --jump ld && echo OK

$IPT --table filter --append FORWARD \
    --destination $DMZ \
    --in-interface $EXT_PPP_IF \
    --out-interface $DMZ_IF \
    --protocol tcp \
    --destination-port $SSH_PORT \
    --match state \
      --state NEW \
    --match recent \
      --name sbfa \
      --set \
    --jump la && echo OK

So syntax seems to be... OK ;-), but I can't log in from the
outside.

Is there something obvious I am missing ? (I guess there is ;-)

Re: --match recent

[Grant Taylor]

On 06/11/07 04:23, olivierk@club-internet.fr wrote:
> I am trying to use the 'recent' module on an otherwise working 
> installation.

> So syntax seems to be... OK ;-), but I can't log in from the outside.

> Is there something obvious I am missing ? (I guess there is ;-)


Just a quick guess, but it looks like you are matching all SSH packets, 
not just those of a connection trying to be established.



Grant. . . .

Re: --match recent

[Olivier]

Hello Grant,

Thanks for youy response.

> Just a quick guess, but it looks like you are matching all SSH
> packets, not just those of a connection trying to be established.

I was thinking I was:

 1. Letting NEW packet just pass ('la' stands for log&accept) but
    counting them. (those I take are initiating the client connection
    to the server)

 2. Limiting those NEW paquets at 5 every 60 seconds. ('ld' stands for
    log&drop)

I intend to count/limit only connection initiations, leaving alone the
rest. I can't figure out where I catch more than I think I catch.

Best regards,

-- 
Olivier K

Re: --match recent

[Grant Taylor]

On 06/11/07 13:12, Olivier wrote:
> I intend to count/limit only connection initiations, leaving alone the
> rest. I can't figure out where I catch more than I think I catch.

What is your FORWARD chain's default policy?

What does netstat have to say about the connection(s)?



Grant. . . .

Re: --match recent

[Olivier]

Heelo Grant,

> What is your FORWARD chain's default policy?

That would be DROP:

   Chain FORWARD (policy DROP)

> What does netstat have to say about the connection(s)?

On the targeted ssh server (behind the firewall), while being outside
ssh'ing in, nothing gets there:

   tcp6       0      0 *:ssh                   *:*                     LISTEN     root       5858       2462/sshd           
   tcp6       0      0 placard:ssh             ::ffff:192.168.1.1:3280 ESTABLISHEDroot       82534      13605/sshd: olivier 

Of course, if I disable those 2 new rules, everything's fine, just
like it has always been: I sure can connect from the outiside, Port
forwarding and all is up and running.

   tcp6       0      0 *:ssh                   *:*                     LISTEN     root       5858       2462/sshd           
   tcp6       0      0 placard:ssh             -----outside-----:32923 ESTABLISHEDroot       96601      16381/sshd: olivier 
   tcp6       0      0 placard:ssh             ::ffff:192.168.1.1:3280 ESTABLISHEDroot       82534      13605/sshd: olivier 

Thanks for your time,

-- 
Olivier K