Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-24-2010, 08:31 AM   #1
Registered: Jul 2008
Posts: 121

Rep: Reputation: 23
iptables recent

For bruteforce protection I have this chain:
-A bruteprotect -m recent --set --name BRUTEFORCE --rsource
-A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j RETURN
-A bruteprotect -j LOG --log-prefix "[DROP BRUTEFORCE] : " --log-tcp-options --log-ip-options
-A bruteprotect -j DROP
I can call that chain to protect my SSH-server
-A INPUT -p tcp -m tcp --dport 22 -j bruteprotect
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
I wanted to use this same procedure to protect a DNS-server from silly Apple requests like this.
The following example should not be used for this purpose!!:
-A dnsbugtest -m length ! --length 89 -j RETURN
-A dnsbugtest -m string --algo kmp --string ! "dnsbugtest" -j RETURN
-A dnsbugtest -m recent --set --name DNSBUGTEST --rsource
-A dnsbugtest -m recent ! --update --seconds 60 --hitcount 5 --name DNSBUGTEST --rsource -j RETURN
-A dnsbugtest -j LOG --log-prefix "[DROP dnsbugtest] : " --log-tcp-options --log-ip-options
-A dnsbugtest -j DROP
It does work in that it detects that exact DNS-requests (the 1st part), but after it reaches the threshold of 5 it will block that request for as long as it keeps trying, which is forever....

That may be what you want if someone tries to login to your SSH-server, but you don't want this with such kind of traffic.
After a minute I want to allow him again for another 5 requests.

I dismissed the limit rule because it doesn't keep different tables for each remote IP.
I experimented a while with rcheck / set and update but in the end I got a headache.

I am interested in a blocking method like the 1st example with the difference that it should ignore subsequent tries...
At the moment I'm not interested in info about 'dnsbugtest' itself, but may be later on.
Old 11-25-2010, 09:13 AM   #2
Registered: Jul 2008
Posts: 121

Original Poster
Rep: Reputation: 23
No-one has an idea how to do this?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables recent match . What am I doing wrong ? bhaslinux Linux - Networking 9 09-17-2009 11:01 AM
iptables -m recent conflicting Shwick Linux - Security 2 10-20-2008 08:41 PM
[SOLVED] iptables: dissecting recent module rules anomie Linux - Security 3 03-27-2008 12:32 PM
Iptables newbie question concerning 'recent' salasi Linux - Networking 0 09-24-2007 07:07 AM
Recommend iptables -m recent settings helpmhost Linux - Networking 1 04-18-2007 01:22 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:04 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration