I am trying to block port scanners that have /24 IPV4 subnets that they slowly rotate between to try to avoid detection.
My iptable rules are
-A RATE-LIMIT --match hashlimit --hashlimit-upto 2/hour --hashlimit-burst 2 --hash-limit-srcmask 24 --hashlimit-name conn_rate_limit --jump RETURN
-A RATE-LIMIT --jump LOG --log-prefix "Limit Reject: "
-A RATE-LIMIT --jump DROP
When I try to port scan myself, it is properly detected, but the following traffic flow is not (each attempt is 5 seconds apart):
SRC=212.133.164.xxx PROTO=TCP DPT=2347
SRC=212.133.164.xxx PROTO=TCP DPT=61715
SRC=212.133.164.xxx PROTO=TCP DPT=8701
SRC=212.133.164.xxx PROTO=TCP DPT=49290
SRC=212.133.164.xxx PROTO=TCP DPT=2346
SRC=212.133.164.xxx PROTO=TCP DPT=2869
SRC=212.133.164.xxx PROTO=TCP DPT=47074
SRC=212.133.164.xxx PROTO=TCP DPT=65001
SRC=212.133.164.xxx PROTO=TCP DPT=61832
SRC=212.133.164.xxx PROTO=TCP DPT=50430
SRC=212.133.164.xxx PROTO=TCP DPT=50075
SRC=212.133.164.xxx PROTO=TCP DPT=2061
SRC=212.133.164.xxx PROTO=TCP DPT=50814
SRC=212.133.164.xxx PROTO=TCP DPT=58330
SRC=212.133.164.xxx PROTO=TCP DPT=56761
SRC=212.133.164.xxx PROTO=TCP DPT=56817
SRC=212.133.164.xxx PROTO=TCP DPT=49706
SRC=212.133.164.xxx PROTO=TCP DPT=3375
SRC=212.133.164.xxx PROTO=TCP DPT=59662
SRC=212.133.164.xxx PROTO=TCP DPT=49681
SRC=212.133.164.xxx PROTO=TCP DPT=64893
SRC=212.133.164.xxx PROTO=TCP DPT=42781
My understanding of hashlimit-srcmask is:
When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
which using "24" for a mask should block all traffic from 212.133.164.0/24 after the limit has been met, but the matching does not occur.