[rhn-users] Iptables problem

Alberto Ferrante Ferrante at alari.ch
Mon Feb 20 17:34:32 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear all,
I have had a strange problem with iptables on RHEL 4. To avoid brute
force ssh attacks I have set some rules in my iptables filters. For the
INPUT chain I use the following rules:
- -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_attack
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

While the SSH_attack chain is the following:
- -A SSH_attack -m state --state NEW -m recent --name SSH --set
- -A SSH_attack -m recent ! --rcheck --name SSH --seconds 60 --hitcount 5
- -j RETURN
- -A SSH_attack -m limit --limit 10/min -j ULOG --ulog-prefix "SSH Brute
Force Attempt: "
- -A SSH_attack -p tcp -j DROP

All of this usually works for a couple of days (30 or so); after that
time the ssh port always results to be closed. No ways, other then
rebooting, to reset the filter. I tried to restart the iptables service
(and unloading the related modules) but this doesn't help.

I have the same rules set on a FC4-based machine and I have never had
this problem, therefore I guess it is related to the RHEL kernels. I am
up to date with the kernel and all the other packages. This problem has
been there at least since last October when I first set this rule.

I thank you in advance for your help.

Regards,
	Alberto

- --
Personal Home Page: http://www.alari.ch/~alberto
Public key: http://www.alari.ch/~alberto/key-alari-dti.txt
Advanced Learning and Research Institute [http://www.ALaRI.ch]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iQIVAwUBQ/n9py1ZVVrowECgAQjJchAAt+JtNJ9YsHg1wIBRMQVaREvCv+ULhJym
UaBLX5lIqzC/mZ4QO6q3dg0nNo551F2hdbPR7cl0HBSrVyW1IY8jB/+7mkYHPZ9H
tfsr6ZbvzGo7XM6R0m9bF7+BkhKxY8meeFC3M/xmJrNNuVi+XCxBtvUsHdE191MZ
q44EI6qQGr9v/xMWyO691z1qNWL+GlHDxVcbO4CMl7MuREEvIs2lYm+exJh67AxH
YS+xofqXFA14bq6NWDZSp6hGv7KgmjrpMNUNoZUU9veW3njwtG8zevJr/TkgltXz
QsVQSWrnUR4MybCLjC+NHjggV+6RMSLDzttCSoVjTJXW69g2w/5hOXQJ+utzfbYP
+9eqffRUgHjgrVX/qkBoLSREf2i4Y3iEqreT5q14JSf7hv7L7OUu9hYoqB3xOAlX
kjJh5KrlGK8PQc2fmGjGaLYxWMeriAr96UOcoTCZ3OC6gcKipq4yKZLeO1BUCRwU
+95vwpK/U5Pch0llMD8j++/sW3Kr92mjkL9Aafb+oswfNhoEYFOdFxemNZOSElSJ
aeECg3N90BPSYYiCD9ploHDLSreez8whNsmpkLIpdBcZ3Qb/WcCBrmsNf+SgdTkQ
yVdTwDeCrBl4bcInd2fUi6ItTOFShyxOtVmj4ZyNtWgZPcEHyGE/yEA+5esVD59K
pMWr8FE1AzE=
=7xTY
-----END PGP SIGNATURE-----

More information about the rhn-users mailing list