max size of ipt_recent match

Joshua, C.S. Chen cschen at asiaa.sinica.edu.tw
Fri Nov 4 09:52:28 CET 2005


Hi folks,
I am now using recent match to block ssh brute-force attack like



### ssh brute-force attack rule
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set

$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset






$IPTABLES -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack
--set


$IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 5 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: 3/5 '
$IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 5 --hitcount 3 -j REJECT --reject-with tcp-reset


It works very well for me.
Then I found that, the internal table at /proc/net/ipt_recent/sshattack
has a max limit of 100 entries, after the max number of entry has been
reached, no more new entry can be added so the above will have no effect.

Any knows how to 'enlarge' the limit of the table? or what should be
done to cycle/purge old entries so new hit entries can be added.


Thanks in advance
Joshua





More information about the netfilter mailing list