Not a question but I thought I would share this with everyone.
The iptables "recent" module has finally been completely rewritten and fixed with the kernel 2.6.18. It allows protection against brute force attacks (against SSH or FTP for example).
I get such attacks daily. Here is an example of use that works well for me, assuming that all ports are DROPed by default:
Code:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --rttl --name ssh -j LOG --log-prefix "[SSH BF ATTACK] "
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --rttl --name ssh -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
This tells the firewall to log and reject anyone (the source IP) who tried to open an ssh connection to my server more than 3 times (--hitcount) in less than 5 minutes (--seconds). The state is stored in the
/proc/net/ipt_recent/ssh file (--name). The connection is reopen when the number of tries in the last 5 minutes drops below 4.
iptable brute attack filter fixed with kernel 2.6.18
Linear Mode
