Iptables recent module bug

by Juliet Kemp

Anyone who administers boxes which are always-online is familiar with the experience of finding their logs clogged with script-kiddie attempts to brute-force passwords. Despite being pretty unsophisticated, and unlikely to prove a serious security problem (provided you're enforcing a reasonable password policy), they're still a nuisance. This article discusses a very good way of limiting connections via iptables, using the 'recent' module, so that clients who try to connect too many times in a short space of time are denied access.

I've been using this for somewhere between 6 and 12 months, and been very happy with it. However, after a recent upgrade, ssh started to act up on certain machines - all connections, even from machines on the local subnet, were refused. Experimentation revealed that this was due to the iptables 'recent' rules.

There's a discussion of exactly what happens here, and it's also been reported as a Debian bug (however, I can confirm that it also affects at least RHEL4 on its current kernel). Looking at the files in /proc/net/ipt_recent (which is
where the module keeps track of the relevant data), this is exactly what I was experiencing.

It's been fixed in 2.6.12 and upwards; unfortunately, the current Debian stable kernel is 2.6.8 (the current RHEL4 is 2.6.9). Solutions: either remove the 'recent' rule for the moment and live with the script-kiddies (as mentioned above, you should be enforcing decent password policies...); or use apt-get pinning (on Debian) to upgrade your kernel; or be prepared to reboot every 25 days...

7 Comments

Carla Schroder
2006-05-09 10:55:25
Thanks, good article.
Another option is to use DenyHosts, so you don't have to mess with iptables rules at all. It's easy and effective and very configurable. A nice howto here:
http://www.enterprisenetworkingplanet.com/netos/article.php/3553111




Tom Copeland
2006-05-19 20:55:06
Ditto on DenyHosts; I'm using it on RubyForge and it's made my logwatch emails much shorter. Notes on my setup are here, too.
simbo1905
2006-05-23 05:28:44
as a novice sysadmin i wrote a gawk script to track failed logins in securelog and firewall them after five failed login attempts using the conntrack module. my solution is at http://www.60hertz.com/tech.html#gawkingsecurelog - it works okay an RHEL4 like box. logrotate is tripping things up once a week so it can do with some tweaks (such as running it as a demon somehow).

2006-05-23 06:46:53
Thanks Carla - I've implemented this now instead.


Only problem I encountered was that the purging of denied hosts doesn't seem to work well when running it as a daemon - at least not if you are (as I am) wanting to purge every 5 or 10 minutes. I've got around this with a cronjob, so all is functioning now.

az
2006-06-14 22:53:23
ipt_recent users might be interested in my alternative to denyhost which
doesn't involve log tailing: pam_recent is a tiny pam module that
removes/adds the client ip from/to any ipt_recent list on successful login (as a session management function).


bennies: no extra daemons or logfiles, only needs recent and pam, tiny
at 150 lines of C. downsides: needs recent, thus iptables, thus some idea
of what you're doing.


more info here.

Dogsbody
2007-01-20 14:25:39
Why reboot every 25 days!? This is linux ;-)


I just added `/etc/rc.d/init.d/iptables restart` into /etc/cron.weekly to flush the tables :-)

unclesmrgol
2007-02-20 11:09:21
you might want to consider the iptables "limit" module which also comes with RHEL4 (and probably with Debian too):


-A NEWSSH -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-A NEWSSH -j DROP


where NEWSSH is a chain created to deal with NEW state connections for SSH (or other restricted ports).