TransWikia.com

iptables: No chain/target/match by that name - adding SSH ATTACK rule

Unix & Linux Asked by michalsol on November 17, 2021

I have a problem with adding rule against brute-force SSH attacks. I try to do it in the following way:

iptables -F
iptables -L
iptables -N SSHATTACK
iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack! " --log-level 7
iptables -A SSHATTACK -j DROP
#Block each IP address for 120 seconds which establishe more than three connections within 120 seconds. In case of the forth connection attempt, the request gets delegated to the SSHATTACK chain, which is responsible for logging the possible ssh attack and finally drops the request.
iptables -A INPUT -i venet0 -p tcp -m state --dport 22 --state NEW -m recent --set
iptables -A INPUT -i venet0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK

But I have a problem with these two lines:

iptables -A INPUT -i venet0 -p tcp -m state --dport 22 --state NEW -m recent --set
iptables -A INPUT -i venet0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK

Output after this command is 

iptables: No chain/target/match by that name.

iptables -L gives the following output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain SSHATTACK (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level debug prefix `Possible SSH attack! '
DROP       all  --  anywhere             anywhere

and iptables -S gives:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N SSHATTACK
-A SSHATTACK -j LOG --log-prefix "Possible SSH attack! " --log-level 7
-A SSHATTACK -j DROP

ip add gives (I’ve hiden IP adress with ‘?’):

1 lo LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN
    linkloopback 000000000000 brd 000000000000
    inet 127.0.0.18 scope host lo
    inet6 1128 scope host
       valid_lft forever preferred_lft forever
2 venet0 BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP mtu 1500 qdisc noqueue state UNKNOWN
    linkvoid
    inet 127.0.0.132 scope host venet0
    inet ?.?.?.24820 brd ?.?.?.255 scope global venet00

What can I do to add this rule? What am I missing?

internetipiptablesssh

3 Answers

This is an old thread, but if anyone gets here this might help (solved for me).

The issue is a missing kernel driver. After adding

CONFIG_NETFILTER_XT_MATCH_RECENT=y

to the kernel config and recompiling it, the problem was solved. You can also add it as a module (=m) and insmod it at runtime

good luck!

Answered by sagivd on November 17, 2021

What am I missing?

You could reduce your own ruleset's complexity and allow something like fail2ban to manage it for you. Available in a CentOS 7 package repository near you, or downloadable via EPEL on CentOS 6.

Fail2ban has rules ready made for blocking ssh attacks, and there are a couple of tutorials here or here.

Answered by roaima on November 17, 2021

The --dport parameter doesn't belong inside the state match. Try:

iptables -A INPUT -i venet0 -p tcp --dport 22 -m state --state NEW -m recent --set

Answered by Richard Doyle on November 17, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP