0

I am trying to block port scanners that have /24 IPV4 subnets that they slowly rotate between to try to avoid detection.

My iptable rules are

-A RATE-LIMIT --match hashlimit --hashlimit-upto 2/hour --hashlimit-burst 2 --hash-limit-srcmask 24 --hashlimit-name conn_rate_limit --jump RETURN
-A RATE-LIMIT --jump LOG --log-prefix "Limit Reject: "
-A RATE-LIMIT --jump DROP

When I try to port scan myself, it is properly detected, but the following traffic flow is not (each attempt is 5 seconds apart):

SRC=212.133.164.xxx PROTO=TCP DPT=2347
SRC=212.133.164.xxx PROTO=TCP DPT=61715
SRC=212.133.164.xxx PROTO=TCP DPT=8701
SRC=212.133.164.xxx PROTO=TCP DPT=49290
SRC=212.133.164.xxx PROTO=TCP DPT=2346
SRC=212.133.164.xxx PROTO=TCP DPT=2869
SRC=212.133.164.xxx PROTO=TCP DPT=47074
SRC=212.133.164.xxx PROTO=TCP DPT=65001
SRC=212.133.164.xxx PROTO=TCP DPT=61832
SRC=212.133.164.xxx PROTO=TCP DPT=50430
SRC=212.133.164.xxx PROTO=TCP DPT=50075
SRC=212.133.164.xxx PROTO=TCP DPT=2061
SRC=212.133.164.xxx PROTO=TCP DPT=50814
SRC=212.133.164.xxx PROTO=TCP DPT=58330
SRC=212.133.164.xxx PROTO=TCP DPT=56761
SRC=212.133.164.xxx PROTO=TCP DPT=56817
SRC=212.133.164.xxx PROTO=TCP DPT=49706
SRC=212.133.164.xxx PROTO=TCP DPT=3375
SRC=212.133.164.xxx PROTO=TCP DPT=59662
SRC=212.133.164.xxx PROTO=TCP DPT=49681
SRC=212.133.164.xxx PROTO=TCP DPT=64893
SRC=212.133.164.xxx PROTO=TCP DPT=42781

My understanding of hashlimit-srcmask is:

When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.

which using "24" for a mask should block all traffic from 212.133.164.0/24 after the limit has been met, but the matching does not occur.

Improve this question

1 Answer 1

Reset to default
-1

may I suggest changing the time from 2/hour to the following:

300/sec which is a very lax version of 5/minute this will significantly change the results

or if you wanna be VERY VERY STRICT

5/min or 5/minutes. this will definitely kill the connections after 2 connections. just so you dont have to write them down:

-A RATE-LIMIT --match hashlimit --hashlimit-upto 300/sec --hashlimit-burst 2 --hash-limit-srcmask 24 --hashlimit-name conn_rate_limit --jump RETURN
-A RATE-LIMIT --jump LOG --log-prefix "Limit Reject: "
-A RATE-LIMIT --jump DROP

-A RATE-LIMIT --match hashlimit --hashlimit-upto 5/minutes --hashlimit-burst 2 --hash-limit-srcmask 24 --hashlimit-name conn_rate_limit --jump RETURN
-A RATE-LIMIT --jump LOG --log-prefix "Limit Reject: "
-A RATE-LIMIT --jump DROP

i hope this solves your issue.

Improve this answer
3
  • 300 per second is not equal to 5 per minute, got it wrong way round there
    – thomasrutter
    Commented Jul 11, 2022 at 7:30
  • so 300 seconds is not 5 minutes? go to a seconds to minute converter.
    – Sign High
    Commented Nov 2, 2022 at 2:33
  • I'm not sure if you're trying to mess with me or confused, but 300 per second = 18000 per minute. Maybe what you really wanted was 5/minute. Not 300/second which is 18000 per minute.
    – thomasrutter
    Commented Nov 2, 2022 at 8:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .