Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-27-2008, 12:11 AM   #1
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
iptables: dissecting recent module rules

I've been testing with the iptables recent module on a RHEL 5.1 installation, and I want to be sure I understand how it works before deploying rules in a production environment.

Snippets from my script:
# brute force control
${cmd} -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --set --name BRUTE
${cmd} -A INPUT -m recent --rcheck --name BRUTE --hitcount 6 --seconds 60 -j DROP
# allow sshd traffic in
${cmd} -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
Based on what I've read on the IPTables/Netfilter Recent Module project page, a brief but useful howto on some guy's blog, and the iptables(8) manpages, this is how I interpret the first two rules from the snippet I posted:
  • Inbound tcp SYN packets to port 22 are added to a list (in memory) named BRUTE.
  • BRUTE is checked, and if there are >= 6 entries for a source IP within the last 60 seconds, additional traffic from that source IP is dropped.

Is this explanation of how the rules are behaving correct?

Thanks for any informed insights.
Old 03-27-2008, 01:20 AM   #2
Senior Member
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Your understanding is correct. But, one would imagine it's more optimal to just use --update (as per "the author's favorite method" in the snowman link) instead of adding each ssh syn packet to the list. Also, you may want to change --state NEW to --syn after reading this.

Last edited by Berhanie; 03-27-2008 at 01:30 AM.
1 members found this post helpful.
Old 03-27-2008, 02:08 AM   #3
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
FWIW, I concur with Berhanie in that your understanding is correct, and with his suggestion to make sure your TCP packets of state NEW are proper SYNs. You basically just need to add a rule like this before the ones you posted:
iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
I would also add that when doing this kind of anti-brute-force stuff it might be a good idea to enable TCP SYN cookies. This way the SYN packets are checked for spoofing. Without this check you are vulnerable to a denial-of-service attack by anyone. They just need to send enough spoofed packets with your source IP on them to trigger the hitcount match, effectively locking you out of your own box. To have them automatically enabled at startup put a line like this in your /etc/sysctl.conf file:
Just my

Last edited by win32sux; 03-27-2008 at 02:12 AM.
1 members found this post helpful.
Old 03-27-2008, 01:32 PM   #4
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935

Original Poster
Blog Entries: 5

Rep: Reputation: Disabled
Great -- thanks for the feedback & info, fellas.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables newbie question concerning 'recent' salasi Linux - Networking 0 09-24-2007 08:07 AM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM
Recommend iptables -m recent settings helpmhost Linux - Networking 1 04-18-2007 02:22 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
Fedora Core Test 2; iptables; recent module; missing GMcFall Red Hat 3 10-20-2003 04:59 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:40 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration