Reinforce Linux security with the Recent Module

Article Title: the Recent module reinforces Linux security. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

As we all know, Linux can filter data packets in and out of Linux Hosts by writing iptables rules to improve the security of Linux Hosts to a certain extent. In the new kernel version, the recent module is added, this module can be based on the source address, destination address statistics over the last period of time through the local data packet, and according to the corresponding rules to make the corresponding decision, see: http://snowman.net/projects/ipt_recent/

1. The recent module can be used to prevent brute-force guesses about the user password of a Linux host. Generally, you can use iptables to restrict access to only certain network segments and 22/TCP ports of a Linux host. If the Administrator's IP address changes frequently, in this case, iptables is difficult to apply to such an environment. The following two rules can be used to solve the problem by using the recent module:

-A input-p tcp-m tcp -- dport 22-m state -- state NEW-m recent -- update -- seconds 60 -- hitcount 4 -- name SSH -- rsource-j DROP

-A input-p tcp-m tcp -- dport 22-m state -- state NEW-m recent -- set -- name SSH -- rsource-j ACCEPT

After this rule is applied, if an IP address initiates more than four new connections to the Linux host 22/TCP port within one minute, the newly initiated connections will be discarded.

2. The recent module prevents port scanning.

-A input-m recent -- update -- seconds 60 -- hitcount 20 -- name PORTSCAN -- rsource-j DROP

-A input-m recent -- set -- name PORTSCAN -- rsource-j DROP

After this rule is applied, if an IP address initiates a connection to a port not allowed by a Linux host and exceeds 20 times in a minute, the system will interrupt the connection between the host and the local machine.

The detailed configuration is as follows:

* Filter

: Input drop [0: 0]

: Forward accept [0: 0]

: Output accept [458: 123843]

-A input-I lo-j ACCEPT

-A input-I tap +-j ACCEPT

-A input-p icmp-m icmp -- icmp-type 8-j ACCEPT

-A input-m recent -- update -- seconds 60 -- hitcount 20 -- name PORTSCAN -- rsource-j DROP

-A input-m state -- state RELATED, ESTABLISHED-j ACCEPT

-A input-p tcp-m tcp -- dport 22-m state -- state NEW-m recent -- update -- seconds 60 -- hitcount 4 -- name SSH -- rsource-j DROP

-A input-p tcp-m tcp -- dport 22-m state -- state NEW-m recent -- set -- name SSH -- rsource-j ACCEPT

-A input-p udp-m udp -- dport 53-j ACCEPT

-A input-p tcp-m tcp -- dport 53-m state -- state NEW-j ACCEPT

-A input-p tcp-m tcp -- dport 80-m state -- state NEW-j ACCEPT

-A input-p tcp-m tcp -- dport 443-m state -- state NEW-j ACCEPT

-A input-m recent -- set -- name PORTSCAN -- rsource-j DROP

COMMIT

The above configuration instructions show that the ports opened on the local machine for service are 22/TCP (with connection frequency limit), 53/TCP/UDP, 80/TCP, 443/TCP, all other ip packets sent to the local machine are considered as port scans. If more than 20 packets are sent within one minute, the host is blocked and the attack is automatically unblocked for more than one minute.

In this case, the recent module can be used to implement many more complex functions. For example, 22/TCP ports are disabled for all hosts, after you access port 23/TCP 24/TCP 25/TCP in sequence, port 22/TCP is open to your IP address.