max size of ipt_recent match

max size of ipt_recent match

[Joshua, C.S. Chen]

Hi folks,
I am now using recent match to block ssh brute-force attack like



### ssh brute-force attack rule
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set

$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset






$IPTABLES -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack
--set


$IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
$IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset


It works very well for me.
Then I found that, the internal table at /proc/net/ipt_recent/sshattack
has a max limit of 100 entries, after the max number of entry has been
reached, no more new entry can be added so the above will have no effect.

Any knows how to 'enlarge' the limit of the table? or what should be
done to cycle/purge old entries so new hit entries can be added.


Thanks in advance
Joshua

Re: max size of ipt_recent match

[Jörg Harmuth]

Joshua, C.S. Chen schrieb:
> Hi folks,
> I am now using recent match to block ssh brute-force attack like
> 
> 
> 
> ### ssh brute-force attack rule
> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> 
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset
> 
> 
> 
> 
> 
> 
> $IPTABLES -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack
> --set
> 
> 
> $IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
> $IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset
> 
> 
> It works very well for me.
> Then I found that, the internal table at /proc/net/ipt_recent/sshattack
> has a max limit of 100 entries, after the max number of entry has been
> reached, no more new entry can be added so the above will have no effect.
> 
> Any knows how to 'enlarge' the limit of the table? or what should be
> done to cycle/purge old entries so new hit entries can be added.

man iptables

recent

  [SNIP]

  The module itself accepts parameters, defaults shown:

       ip_list_tot=100
              Number of addresses remembered per table

       ip_pkt_list_tot=20
              Number of packets per address remembered

       ip_list_hash_size=0
              Hash table size. 0 means to calculate it
              based on ip_list_tot, default: 512

       ip_list_perms=0644
              Permissions for /proc/net/ipt_recent/* files

       debug=0
              Set to 1 to get lots of debugging info

Some time ago there was a posting, that this doesn't work. So
alternatively, you can modify the source code and edit the respective
var (<Path/to/kernel_source>/net/ipv4/netfilter/ipt_recent.c => static
int ip_list_tot=100).

Have a nice time,

Joerg