Limiting number of new connections

From Notes_Wiki

Home > CentOS > CentOS 6.x > Iptables configuration > Limiting number of new connections

We can also limit number of new connection attempts per interval using iptables. This is required even though we can limit number of simultaneous connections as, limiting number of simultaneous connections will not solve the bruteforce problem. Attacker can quickly try different passwords by opening many connections one after another, such that only two/three simultaneous connections are open at a time.

Hence, to protect against bruteforce we can use module recent which checks for packets in given time interval and not total running connections at present.

The below sample can be used to ensure that only first three connection attempts to ssh will be allowed in a minute. All other attempts will get - 'No route to host' error. 

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --name ssh_limit  --set
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --name ssh_limit --rcheck \
        --seconds 60 --hitcount 4 -j LOG
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --name ssh_limit --rcheck \
        --seconds 60 --hitcount 4 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT


ipt_recent module

Parameters

Note that by default these values are used by ipt_recent module:

ip_list_tot=100 Number of addresses remembered per table
ip_pkt_list_tot=20 Number of packets per address remembered
ip_list_hash_size=0 Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
ip_list_perms=0644 Permissions for /proc/net/ipt_recent/* files

Hence if we use --hitcount 21 which is greater than 20 (default value) we will not be able to load the iptables rule. To increase the limit we need to pass bigger value for above parameters to ipt_recent kernel module. This can be done using: 

service iptables stop
rmmod ipt_recent
modprobe ipt_recent ip_pkt_list_tot=70
service iptables start

assuming we want to increase the limit to 70 from 20.

We can use 'modinfo ipt_recent' to check parameters accepted by ipt_recent module available on current system.


Checking existing addresses

If we go to folder '/proc/net/ipt_recent' then we can see one file per --name we have used in iptables rules. We can use following to see the IP address stored or to change the value of addresses stored:

echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT to Add to the DEFAULT list
echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT to Remove from the DEFAULT list
echo clear > /proc/net/ipt_recent/DEFAULT to empty the DEFAULT list.
cat /proc/net/ipt_recent/DEFAULT to see DEFAULT list



Home > CentOS > CentOS 6.x > Iptables configuration > Limiting number of new connections

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Limiting_number_of_new_connections&oldid=6552"