Use the Recent module to reinforce Linux Security

In Linux, you can write iptables rules to filter data packets in and out of the Linux host to improve the security of the Linux host to a certain extent. in the new kernel version, the recent module is added. This module can collect statistics about the data packets that pass through the local machine in the recent period based on the source address and destination address.

In Linux, you can write iptables rules to filter data packets in and out of the Linux host to improve the security of the Linux host to a certain extent. in the new kernel version, added the recent module, this module can be based on the source address, destination address statistics over the recent period of time through the local data packets, and according to the corresponding rules to make the corresponding decisions, see: http://snowman.net/projects/ipt_recent/

1. The recent module can be used to prevent brute-force guesses about the user password of a Linux host. Generally, you can use iptables to restrict access to only certain network segments and 22/TCP ports of a Linux host. if the administrator's IP address changes frequently, in this case, iptables is difficult to apply to such an environment. You can use the following two rules to solve the problem by using the recent module:
-A input-p tcp-m tcp -- dport 22-m state -- state NEW-m recent -- update -- seconds 60 -- hitcount 4 -- name SSH -- rsource-j DROP
-A input-p tcp-m tcp -- dport 22-m state -- state NEW-m recent -- set -- name SSH -- rsource-j ACCEPT
After this rule is applied, if an IP address initiates more than four new connections to the Linux host 22/TCP port within one minute, the newly initiated connections will be discarded.

2. the recent module prevents port scanning.
-A input-m recent -- update -- seconds 60 -- hitcount 20 -- name PORTSCAN -- rsource-j DROP
-A input-m recent -- set -- name PORTSCAN -- rsource-j DROP
After this rule is applied, if an IP address initiates a connection to a port not allowed by a Linux host and exceeds 20 times in a minute, the system will interrupt the connection between the host and the local machine.

The detailed configuration is as follows:

* Filter
: Input drop [0: 0]
: Forward accept [0: 0]
: Output accept [458: 123843]
-A input-I lo-j ACCEPT
-A input-I tap +-j ACCEPT
-A input-p icmp-m icmp -- icmp-type 8-j ACCEPT
-A input-m recent -- update -- seconds 60 -- hitcount 20 -- name PORTSCAN -- rsource-j DROP
-A input-m state -- state RELATED, ESTABLISHED-j ACCEPT
-A input-p tcp-m tcp -- dport 22-m state -- state NEW-m recent -- update -- seconds 60 -- hitcount 4 -- name SSH -- rsource-j DROP
-A input-p tcp-m tcp -- dport 22-m state -- state NEW-m recent -- set -- name SSH -- rsource-j ACCEPT
-A input-p udp-m udp -- dport 53-j ACCEPT
-A input-p tcp-m tcp -- dport 53-m state -- state NEW-j ACCEPT
-A input-p tcp-m tcp -- dport 80-m state -- state NEW-j ACCEPT
-A input-p tcp-m tcp -- dport 443-m state -- state NEW-j ACCEPT
-A input-m recent -- set -- name PORTSCAN -- rsource-j DROP
COMMIT

The above configuration instructions show that the ports opened on the local machine for service are 22/TCP (with connection frequency limit), 53/TCP/UDP, 80/TCP, 443/TCP, all other ip packets sent to the local machine are considered as port scans. if more than 20 packets are sent within one minute, the host is blocked and the attack is automatically unblocked for more than one minute.

In this case, the recent module can be used to implement many more complex functions. for example, 22/TCP ports are disabled for all hosts, after you access port 23/TCP 24/TCP 25/TCP in sequence, port 22/TCP is open to your IP address.