Anyone who administers boxes which are always-online is familiar with the experience of finding their logs clogged with script-kiddie attempts to brute-force passwords. Despite being pretty unsophisticated, and unlikely to prove a serious security problem (provided you’re enforcing a reasonable password policy), they’re still a nuisance. This article discusses a very good way of limiting connections via iptables, using the ‘recent’ module, so that clients who try to connect too many times in a short space of time are denied access.
I’ve been using this for somewhere between 6 and 12 months, and been very happy with it. However, after a recent upgrade, ssh started to act up on certain machines - all connections, even from machines on the local subnet, were refused. Experimentation revealed that this was due to the iptables ‘recent’ rules.
There’s a discussion of exactly what happens here, and it’s also been reported as a Debian bug (however, I can confirm that it also affects at least RHEL4 on its current kernel). Looking at the files in /proc/net/ipt_recent (which is
where the module keeps track of the relevant data), this is exactly what I was experiencing.
It’s been fixed in 2.6.12 and upwards; unfortunately, the current Debian stable kernel is 2.6.8 (the current RHEL4 is 2.6.9). Solutions: either remove the ‘recent’ rule for the moment and live with the script-kiddies (as mentioned above, you should be enforcing decent password policies…); or use apt-get pinning (on Debian) to upgrade your kernel; or be prepared to reboot every 25 days…