We help IT Professionals succeed at work.
Get Started

iptables hitcount, limit, log not working

Mark
Mark asked
on
2,289 Views
Last Modified: 2014-05-29
I have the iptables script shown below. The --hitcount and --limit rules are not working (lines 5, 10, 13). I just received 139 attempted ssh logins within 44 seconds. This is not uncommon. No message with "SSH Break-in attempt" is ever logged in either /var/log/messages or /var/log/syslog. Please advise on how to fix. I've posted this question on various web forums without getting a solution.

I am concerned with eth0 which is connected to the Internet. eth1 is local LAN traffic only having a few Windows workstations.

Linux slackware distro version 13.37.0, kernel 2.6.37.6, iptables version 1.40.10.

Script:
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT

    iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 \
        --hitcount 10 --rsource -j LOG --log-prefix "SSH Break-in attempt" --log-level 6

    # The following blocks an IP for 60 seconds after 10 unsuccessful ssh attempts

    iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 \
        --hitcount 10 --rsource -j DROP

    iptables -A INPUT -p tcp --syn -m limit --limit 1/s -i eth0 --dport 22 -m state --state NEW -j ACCEPT

    iptables -A INPUT -p TCP -i eth0 -m multiport --dports 25,53,80,443 -m state --state NEW -j ACCEPT

    iptables -A INPUT -p UDP -i eth0 -m multiport --dports 53 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -I INPUT -p tcp -m tcp -s 64.129.23.99 --dport 37 -j ACCEPT

    iptables -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -o eth1 -m state --state NEW -j ACCEPT

Open in new window


iptables -L -v -n
Chain INPUT (policy DROP 6449 packets, 974K bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   432 ACCEPT     tcp  --  *      *       64.129.23.99         0.0.0.0/0           tcp dpt:37
 117M  199G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 2586  155K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
20014 2265K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source LOG flags 0 level 6 prefix `SSH Break-in attempt'
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source
  305 17432 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 flags:0x17/0x02 limit: avg 1/sec burst 5 state NEW
 5428  289K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           multiport dports 25,53,80,443 state NEW
   10   774 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           multiport dports 53 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 38 packets, 2120 bytes)
 pkts bytes target     prot opt in     out     source               destination
  66M  138G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
18009 1147K ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW
 2586  155K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
94575 6395K ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           state NEW

Open in new window

Comment
Watch Question
Commented:
This problem has been solved!
Unlock 2 Answers and 61 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE