Difference between revisions of "Limiting number of new connections"
m |
m |
||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Iptables configuration]] > [[Limiting number of new connections]] | |||
We can also limit number of new connection attempts per interval using iptables. This is required even though we can limit number of simultaneous connections as, limiting number of simultaneous connections will not solve the bruteforce problem. Attacker can quickly try different passwords by opening many connections one after another, such that only two/three simultaneous connections are open at a time. | We can also limit number of new connection attempts per interval using iptables. This is required even though we can limit number of simultaneous connections as, limiting number of simultaneous connections will not solve the bruteforce problem. Attacker can quickly try different passwords by opening many connections one after another, such that only two/three simultaneous connections are open at a time. | ||
| Line 65: | Line 64: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Iptables configuration]] > [[Limiting number of new connections]] | |||
Latest revision as of 13:26, 14 July 2022
Home > CentOS > CentOS 6.x > Iptables configuration > Limiting number of new connections
We can also limit number of new connection attempts per interval using iptables. This is required even though we can limit number of simultaneous connections as, limiting number of simultaneous connections will not solve the bruteforce problem. Attacker can quickly try different passwords by opening many connections one after another, such that only two/three simultaneous connections are open at a time.
Hence, to protect against bruteforce we can use module recent which checks for packets in given time interval and not total running connections at present.
The below sample can be used to ensure that only first three connection attempts to ssh will be allowed in a minute. All other attempts will get - 'No route to host' error.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --name ssh_limit --set
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --name ssh_limit --rcheck \
--seconds 60 --hitcount 4 -j LOG
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --name ssh_limit --rcheck \
--seconds 60 --hitcount 4 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
ipt_recent module
Parameters
Note that by default these values are used by ipt_recent module:
| ip_list_tot=100 | Number of addresses remembered per table |
| ip_pkt_list_tot=20 | Number of packets per address remembered |
| ip_list_hash_size=0 | Hash table size. 0 means to calculate it based on ip_list_tot, default: 512 |
| ip_list_perms=0644 | Permissions for /proc/net/ipt_recent/* files |
Hence if we use --hitcount 21 which is greater than 20 (default value) we will not be able to load the iptables rule. To increase the limit we need to pass bigger value for above parameters to ipt_recent kernel module. This can be done using:
service iptables stop rmmod ipt_recent modprobe ipt_recent ip_pkt_list_tot=70 service iptables start
assuming we want to increase the limit to 70 from 20.
We can use 'modinfo ipt_recent' to check parameters accepted by ipt_recent module available on current system.
Checking existing addresses
If we go to folder '/proc/net/ipt_recent' then we can see one file per --name we have used in iptables rules. We can use following to see the IP address stored or to change the value of addresses stored:
| echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT | to Add to the DEFAULT list |
| echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT | to Remove from the DEFAULT list |
| echo clear > /proc/net/ipt_recent/DEFAULT | to empty the DEFAULT list. |
| cat /proc/net/ipt_recent/DEFAULT | to see DEFAULT list |
Home > CentOS > CentOS 6.x > Iptables configuration > Limiting number of new connections
