0

I am currently using the following to limit IP connections:

iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 4 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

To limit connection per IP to port 22, so the connection limit is 4, but some times I see some IPs still can connect with 50 connection. Any advice to fix this? My tables are as follow:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             tcp dpt:20000 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 2 reject-with tcp-reset
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 2 reject-with tcp-reset

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
      1 CLOSE_WAIT
      1 established)
      1 Foreign
      6 FIN_WAIT2
     11 LISTEN
     12 TIME_WAIT
     58 FIN_WAIT1
     80 ESTABLISHED
     90 LAST_ACK
    135 SYN_RECV

added iptables 

sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 12000346 packets, 771042886 bytes)
    pkts      bytes target     prot opt in     out     source               destination  
       0        0 ACCEPT     tcp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
       0        0 ACCEPT     udp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
       0        0 ACCEPT     tcp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
       0        0 ACCEPT     udp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
       0        0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20000 flags:0x17/0x02 #conn src/32 > 2 reject-with tcp-reset
  401401 20329584 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 #conn src/32 > 2 reject-with tcp-reset

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination  
       0        0 ACCEPT     all  --  *      lxcbr0  0.0.0.0/0            0.0.0.0/0      
       0        0 ACCEPT     all  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0      

Chain OUTPUT (policy ACCEPT 11508472 packets, 493814350 bytes)
    pkts      bytes target     prot opt in     out     source               destination
Vlark.Lopin
  • 185
  • Your rule seems to be fine. Could you show us the overall context of your entire iptables rule set? Can you show us how you determined that an ip had 50 connections at the same time to port 22. – Doug Smythies Aug 27 '16 at 14:53
  • @DougSmythies i added my iptables and how it looks i still cannot limit the connection per ip some ips while attack are going to 500 connections , also i tried your solution still the same result – Vlark.Lopin Aug 30 '16 at 05:08
  • I am having difficulty understanding what is going on. Please add the counters to your iptables stuff above, so we can observe how many times the REJECT path was taken. I'm asking you to replace your iptables list with the output of sudo iptables -v -x -n -L. In your summarized list are those 135 SYN_RECV connections all to port 20000 or 22? And all from the same or a small number of IPs? – Doug Smythies Aug 30 '16 at 15:00
  • they are all on port 22, there is about 100 ips they are all have connection between 4 , and 1 and at the end of the list there is about 5 ips have high number of connection like 150 and more – Vlark.Lopin Aug 30 '16 at 15:35
  • @DougSmythies also added the new iptables that you requested – Vlark.Lopin Aug 30 '16 at 16:11
  • Your port 22 rule has been hit 401401 times, so it seems to be working fine. – Doug Smythies Aug 30 '16 at 17:05
  • but some ips have 200 connection per ip they shoudn't be able to connect if they have more than 2 connections opened – Vlark.Lopin Aug 30 '16 at 20:24
  • Could you show us some of your data? Perhaps use sudo netstat -ntu and don't post process down to just counts, but rather edit that into your question. You can edit to hide your IP address if you want, but leave the bad guy IP addresses. – Doug Smythies Sep 01 '16 at 00:01
  • there is 100 of ips – Vlark.Lopin Sep 01 '16 at 14:49
  • and couple of them have sent 150 and recv 0 – Vlark.Lopin Sep 01 '16 at 14:54
  • There are 100's of different IP addresses, some with up to 200 active connections at one time? Pick one IP with the most active connections and show us that one. Consider disabling port 22 completely for awhile, with a DROP rule. Many people like and use fail2ban, so you could look into it (I don't use it). Are you getting many entries in /var/log/auth.log? – Doug Smythies Sep 01 '16 at 15:10
  • Is your /etc/ssh/sshd_config the default file? If you made any changes from default, tell us what they are. – Doug Smythies Sep 01 '16 at 15:32

0 Answers0