kernel panic because of recent match
Joshua, C.S. Chen
cschen at asiaa.sinica.edu.tw
Thu Sep 8 18:52:46 CEST 2005
Hi all,
I am using linux iptables at my institute serving as gate/firewall. It's
working fine and smooth. Recently we enable the following rule to block
the ssh brute-force attack
### ssh brute-force attack rule
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack
--set
$IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
And it really block ssh connect at some threshold (3/60 seconds).
BUT after some time (several hours, or sometimes several tens of
minutes),the firewall crash with kernel panic, without any logs to trace.
The kernel is from CentOS 4.1, 2.6.9-11.ELsmp. The machine is a DUAL AMD
optron cpu with 2G ram. It will go kernel panic sooner or later once we
enable the recent match. Is there any hope to solve this problem? Is AMD
cpu or SMP (dualcpu) the reason?
And I am so curious about the internal 'recent match list'. Do I have a
chance to see the list? Once an IP triggered the drop or log rule, can I
see them? Is the list somewhere in /proc/*?
Thanks in advance
Joshua
[root at fw ~]# man procmailrc
Formatting page, please wait...
[root at fw ~]#
[root at fw ~]# cat ssh_brute_force_attack_kernel_panic
Dear all,
We are using linux iptables at our institute serving as gate/firewall.
It's working fine and smooth. Recently we enable the following rule to
block thessh brute-force attack
### ssh brute-force attack rule
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack
--set
$IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
And it really block ssh connect at some threshold (3/60 seconds).
BUT after some time (several hours, or sometimes several tens of
minutes),the firewall crash with kernel panic, without any logs to trace.
The kernel is from CentOS 4.1, 2.6.9-11.ELsmp. The machine is a DUAL AMD
optron cpu with 2G ram. It will go kernel panic sooner or later once we
enable the recent match. Is there any hope to solve this problem? Is AMD
cpu or SMP (dualcpu) the reason?
And I am so curious about the internal 'recent match list'. Do I have a
chance to see the list? Once an IP trigger the drop or log rule, can I
see the ip? Is the list somewhere in /proc/*?
Thanks in advance
Joshua
More information about the netfilter
mailing list