iptables recent matching rule
Source: zioup.org
Linux iptables now offers extended packet matching modules. The recent module tracks IP addresses and allows to match against them using other criteria.
We are going to use a combination of lists created by the recent module and a new chain to track attackers. The two problems we are trying to minimise are:
- centralised port scans.
- ssh attacks: somebody tries to log in through ssh from a unique ip address using different user IDs and passwords.
port scan
A port scan will try to talk to our machine on different ports. The idea here is to ban the offending ip address as soon as it touches a non-authorised port.
We accomplish this by creating two rules. The first one has to be the last rule in the INPUT chain, it replaces your rule that says that if a packet has not matched any rule it should be DROPped. Additionally to DROPping the packet, we add the source ip address to the « badguys » list:
iptables ... . . . iptables -A INPUT -t filter -i $OUTS -j DROP -m recent --set --name badguys
The next rule will be the first rule of the INPUT chain and will block any packet from ip addresses that are present in the badguys list and for which we have received packet within the last hour. Note that we use the « –update » option rather than « –rcheck », so that any new packet resets the clock ; offenders have to be completely silent for one hour in order to be able to communicate with us again:
iptables -A INPUT -i $OUTS -m recent --name badguys --update --seconds 3600 -j DROP iptables ... . . . iptables -A INPUT -t filter -i $OUTS -j DROP -m recent --set --name badguys