Odd ssh attacks?

David Ford david at blue-labs.org
Thu Jul 19 12:59:05 UTC 2007


Anton Hofmann wrote:
> David Ford schrieb:
>
> > recent --name sshprobe --update --seconds 60 --hitcount 3 -j LOGDROP
> > [...]
>
> Hi David, is the "--seconds 60" the time how long the packages from this
> ip will be blocked?
>
> kind regards
>
> anton
>
   recent
       Allows  you  to  dynamically create a list of IP addresses and
then match against that list in a few different
       ways.

       For example, you can create a `badguy' list out of people
attempting to connect to port 139 on  your  firewall
       and then DROP all future packets from them without considering them.

       --name name
              Specify the list to use for the commands. If no name is
given then 'DEFAULT' will be used.

       [!] --set
              This  will  add  the  source address of the packet to the
list. If the source address is already in the
              list, this will update the existing entry. This will
always return success (or failure if `!' is passed
              in).

       [!] --rcheck
              Check if the source address of the packet is currently in
the list.

       [!] --update
              Like --rcheck, except it will update the "last seen"
timestamp if it matches.

       [!] --remove
              Check  if  the  source  address  of  the packet is
currently in the list and if so that address will be
              removed from the list and the rule will return true. If
the address is not found, false is returned.

       [!] --seconds seconds
              This option must be used in conjunction with one of
--rcheck or --update. When used, this  will  narrow
              the  match  to only happen when the address is in the list
and was seen within the last given number of
              seconds.

       [!] --hitcount hits
              This option must be used in conjunction with one of
--rcheck or --update. When used, this  will  narrow
              the  match to only happen when the address is in the list
and packets had been received greater than or
              equal to the given value. This option may be used along
with --seconds to create an even narrower match
              requiring a certain number of hits within a specific time
frame.

       --rttl This  option  must be used in conjunction with one of
--rcheck or --update. When used, this will narrow
              the match to only happen when the address is in the list
and the TTL of the current packet matches that
              of  the  packet  which  hit  the --set rule. This may be
useful if you have problems with people faking
              their source address in order to DoS you via this module
by disallowing others access to your  site  by
              sending bogus packets to you.

       Examples:

              # iptables -A FORWARD -m recent --name badguy --rcheck
--seconds 60 -j DROP

              # iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent
--name badguy --set -j DROP

       Official website (http://snowman.net/projects/ipt_recent/) also
has some examples of usage.

       /proc/net/ipt_recent/* are the current lists of addresses and
information about each entry of each list.

       Each file in /proc/net/ipt_recent/ can be read from to see the
current list or written two using the following
       commands to modify the list:

       echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
              to Add to the DEFAULT list

       echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
              to Remove from the DEFAULT list

       echo clear > /proc/net/ipt_recent/DEFAULT
              to empty the DEFAULT list.

       The module itself accepts parameters, defaults shown:

       ip_list_tot=100
              Number of addresses remembered per table

       ip_pkt_list_tot=20
              Number of packets per address remembered

       ip_list_hash_size=0
              Hash table size. 0 means to calculate it based on
ip_list_tot, default: 512

       ip_list_perms=0644
              Permissions for /proc/net/ipt_recent/* files

       debug=0
              Set to 1 to get lots of debugging info





More information about the ubuntu-users mailing list