Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have what I think is a rather straightforward iptables script (below). I believe I have set port 22 on eth0 to 1 connection attempt per second and limit attempts to 10 per minute. This is not working. I continue to get attempts that try hundreds of times in a minute. What am I doing wrong?
iptables version 1.4.10
This host has 2 NICs. eth0 is connected to the Internet and permits input on ports 22,25,53,80,443; output on all port. eth1 is the local LAN and is firewalled up-stream to permit only port 25 from the Internet to this host. LAN hosts can do samba mounts and I can use putty to ssh to this host from LAN workstations. From withing the LAN I permit everything INPUT/OUTPUT-wise on eth1.
Based on an example I saw on the web, I also tried moving the "INPUT -i eth0 -m multiport --dports 22,25,53,80,443" line to above the "--limit" lines, but that didn't help.
Any help would be greatly appreciated. I've spent well over a month trying to figure this out.
iptables config script:
# Permit all related and established connections.
# Not sure I need this, but it was recommended once upon a time.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept all INPUT connections on local interface and LAN interface eth1
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT
# Attempt to limit connection on WAN interface eth0, port 22 to 10 per minute, log a message if hitcount reached (not working)
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 \
--hitcount 10 --rsource -j LOG --log-prefix "SSH Break-in attempt" --log-level 6
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 \
--hitcount 10 --rsource -j DROP
# Limit eth0 port 22 connection attempts to once per second (not working)
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -i eth0 --dport 22 -j ACCEPT
# Accept eth0 connections on port 22,25,53,80 and 443
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 22,25,53,80,443 -m state --state NEW -j ACCEPT
# Accept UDP connection on eth0, port 53
iptables -A INPUT -p UDP -i eth0 -m multiport --dports 53 -m state --state NEW -j ACCEPT
# Permit all related and establish output connections
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# permit connection to port 37 from specific host
iptables -I INPUT -p tcp -m tcp -s 64.129.23.99 --dport 37 -j ACCEPT
# Permit all output connection on eth0, lo and eth1
iptables -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state NEW -j ACCEPT
Absolutely NO attempts are getting logged! I've grepped every file in /etc/logs for "SSH Break-in attempt", including rotated histories. If I did get "all attempts" logged I'd consider that a breakthrough with my issue! Anyway, why do you say it will log all attempts? I believe I have it configured to log when there are more than 10 attempts in 60 seconds. If that is not what I have, can you suggest a correct syntax?
> How do you know its not working?
I have messages in /var/log/messages, like the following, logged hundreds of time within 1 minute:
Apr 22 14:31:00 webserver sshd[3134]: Failed password for invalid user admin from 115.238.68.121 port 3682 ssh2
> What does the counter on the drop line read?
Where would I find that?
> Also, you are making the same test twice. It might be better to have a dedicated chain where you log and drop.
It might be better, but I've not done much with chains before and I'm trying to introduce as few opportunities for screw-up as possible. If I can get this working, I'll possibly try configuring a chain.
Results below. Btw, changing my rules as I suggested in my 04-23-14 02:32 AM post didn't help. After implementing, I received 59 ssh attempts from the same IP within 45 seconds. So, this configuration is neither limited to 1 attempt per second nor limited to 10 attempts per minute.
> smallpond: iptables -vL will list your current rules along with counters for the number of times each rule has hit.
"the number of times each rule has hit", since when? Since the iptables script was started?
You will notice, below, that my LOG and DROP have zero hits. (Note: I have removed a bunch of explicit IP DROPs from this report)
Code:
$ iptables -n -L -v
Chain INPUT (policy DROP 1960 packets, 305K bytes)
pkts bytes target prot opt in out source destination
7 392 ACCEPT tcp -- * * 64.129.23.99 0.0.0.0/0 tcp dpt:37
184M 311G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2741 164K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
23055 2793K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source LOG flags 0 level 6 prefix `SSH Break-in attempt'
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source
221 12604 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 limit: avg 1/sec burst 5 state NEW
9737 511K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,53,80,443 state NEW
17 1213 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 53 state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
95M 232G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
20023 1311K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW
2741 164K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
89694 6027K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 state NEW
So, why are my limit and hitcount rules not working?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.