BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

iptables 'recent' stuff

Subject: iptables 'recent' stuff
From: warlord at MIT.EDU (Derek A Atkins)
Date: Wed, 27 Jul 2005 11:50:15 -0400
In-reply-to: <20050727154222.GB2860@tao>
References: <20050725170752.GN20841@tao> <LGEBIKMPEODOJPJAMBHGKELNCDAA.lug@the-leveys.us> <20050725192346.GO20841@tao> <sjmy87tbu40.fsf@cliodev.pgp.com> <20050726132537.GY20841@tao> <sjmek9kb8r5.fsf_-_@cliodev.pgp.com> <20050727154222.GB2860@tao>

Quoting dsr at tao.merseine.nu:

> On Wed, Jul 27, 2005 at 10:53:34AM -0400, Derek Atkins wrote:
>> dsr at tao.merseine.nu writes:
>> So something like this in /etc/sysconfig/iptables would do what I
>> wanted?
>>
>> -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set
>
> Adds the packet info to the ssh recent list

Doesn't this also update the entry if it already exists?

[!] --set

    -> This will add the source address of the packet to the list. If 
the source
address is already in the list, this will update the existing entry. This will
always return success or failure if `!' is passed in.

>> -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh 
>> --update --seconds 60 --hitcount 4 -j LOG --log-level WARN 
>> --log-prefix SSH-TOO-FAST
>
> This logs packets which have appeared 4 times in the last 60 secs

Doesn't this need to be --rcheck as well, as the state would've been 
updated by
the --set in the previous line?

>> -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh 
>> --update --seconds 60 --hitcount 4 -j REJECT --reject-with 
>> icmp-host-prohibited
>
> This should be --rcheck instead of --update, as the packet count
> does not need to be updated.

Okay, I thought so on this one...

>> Question: is there some way to have a rule that if one 'recent'
>> check passed then I can set another one?  E.g., I'd like to be able
>> to do something like:
>>
>> if packet matches XX, set badguy
>> if packet matches YY, set badguy if YY-hitcount >= 4
>> if packet matches ZZ, set badguy if ZZ-hitcount >= 6
>> if badguy, drop
>>
>> I just don't know if you can have multiple "recent name" settings like
>> this?
>
> I think I understand what you want -- anyone who is on any of
> the idiot lists, drop all packets from them -- but I don't think
> you can do it this way.

True, but I think I can do it with various chains..  If I have a chain 
for each
type of miscreant then a global "kill them"...

> -dsr-

Thanks!

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

References:
- removing a Linux Keylogger
  - From: dsr at tao.merseine.nu (dsr at tao.merseine.nu)
- removing a Linux Keylogger
  - From: lug at the-leveys.us (Don Levey)
- removing a Linux Keylogger
  - From: dsr at tao.merseine.nu (dsr at tao.merseine.nu)
- removing a Linux Keylogger
  - From: warlord at MIT.EDU (Derek Atkins)
- removing a Linux Keylogger
  - From: dsr at tao.merseine.nu (dsr at tao.merseine.nu)
- iptables 'recent' stuff
  - From: warlord at MIT.EDU (Derek Atkins)
- iptables 'recent' stuff
  - From: dsr at tao.merseine.nu (dsr at tao.merseine.nu)

Prev by Date: removing a Linux Keylogger
Next by Date: removing a Linux Keylogger
Previous by thread: iptables 'recent' stuff
Next by thread: removing a Linux Keylogger
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org