Your message dated Wed, 12 Oct 2005 11:12:58 +0900
with message-id <[EMAIL PROTECTED]>
and subject line Bug#333350: ipt_recent kernel module suffers from jiffies
rollover
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Oct 2005 13:46:07 +0000
>From [EMAIL PROTECTED] Tue Oct 11 06:46:07 2005
Return-path: <[EMAIL PROTECTED]>
Received: from comedy.dante.de [80.237.210.73]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EPKSE-0007Tz-00; Tue, 11 Oct 2005 06:46:06 -0700
Received: from comedy.dante.de (localhost. [127.0.0.1])
by comedy.dante.de (8.13.4/8.13.4/Debian-3) with ESMTP id j9BDk35B007367
for <[EMAIL PROTECTED]>; Tue, 11 Oct 2005 15:46:03 +0200
Received: (from [EMAIL PROTECTED])
by comedy.dante.de (8.13.4/8.13.4/Submit) id j9BDk3Ul007366;
Tue, 11 Oct 2005 15:46:03 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Authentication-Warning: comedy.dante.de: ftpmaint set sender to [EMAIL
PROTECTED] using -f
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: =?iso-8859-15?q?Rainer_Sch=C3=B6pf?= <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: ipt_recent kernel module suffers from jiffies rollover
X-Mailer: reportbug 3.8
Date: Tue, 11 Oct 2005 15:46:03 +0200
X-Debbugs-Cc: [EMAIL PROTECTED]
X-DANTE-Spam-Score: -2.399 () ALL_TRUSTED,AWL
X-Scanned-By: MIMEDefang 2.51 on 80.237.210.73
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: kernel-image-2.6.8-2-686-smp
Version: 2.6.8-16
Severity: serious
The ipt_recnet kernel module suffers from a wraparound of the jiffies
counter. The problem is described by the module author on
http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
Since the correrction didn't make it into the official kernel sources,
I would be very grateful if the debian kernels could pick up the change.
For reference:
I use the ipt_recent kernel module to protect against ssh attacks,
with the following rules:
iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--set --name SSH --rsource
iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j ULOG
--ulog-prefix "DROP SSH_brute_force:" --ulog-cprange 64
iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP
After several weeks, ssh logins fail if they come from an IP address not
yet known to the ipt_recent module. Reboot helps.
Rainer Schoepf
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Versions of packages kernel-image-2.6.8-2-686-smp depends on:
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
ii initrd-tools 0.1.81.1 tools to create initrd image for p
ii module-init-tools 3.2-pre1-2 tools for managing Linux kernel mo
-- no debconf information
---------------------------------------
Received: (at 333350-done) by bugs.debian.org; 12 Oct 2005 04:33:51 +0000
>From [EMAIL PROTECTED] Tue Oct 11 21:33:51 2005
Return-path: <[EMAIL PROTECTED]>
Received: from koto.vergenet.net [210.128.90.7]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EPYJL-0007Rc-00; Tue, 11 Oct 2005 21:33:51 -0700
Received: by koto.vergenet.net (Postfix, from userid 7100)
id BA79834032; Wed, 12 Oct 2005 13:33:18 +0900 (JST)
Date: Wed, 12 Oct 2005 11:12:58 +0900
From: Horms <[EMAIL PROTECTED]>
To: Rainer =?iso-8859-1?Q?Sch=C3=B6pf?= <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Bug#333350: ipt_recent kernel module suffers from jiffies rollover
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
X-Cluestick: seven
User-Agent: Mutt/1.5.11
Content-Transfer-Encoding: quoted-printable
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
On Tue, Oct 11, 2005 at 03:46:03PM +0200, Rainer Sch=C3=B6pf wrote:
> Package: kernel-image-2.6.8-2-686-smp
> Version: 2.6.8-16
> Severity: serious
>=20
> The ipt_recnet kernel module suffers from a wraparound of the jiffies
> counter. The problem is described by the module author on
>=20
> http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-m=
odule/
>=20
> Since the correrction didn't make it into the official kernel sources,
> I would be very grateful if the debian kernels could pick up the change=
.
Unfortunately the patch didn't make it upstream because it is not correct=
.
This bug (333350) is actually a duplicate of 332231. I am forwarding your
informtion to that bug and closing this one.
Thanks
> For reference:
>=20
> I use the ipt_recent kernel module to protect against ssh attacks,
> with the following rules:
>=20
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m r=
ecent --set --name SSH --rsource
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m r=
ecent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j U=
LOG --ulog-prefix "DROP SSH_brute_force:" --ulog-cprange 64
> iptables -A dante_in -p tcp -m tcp --dport 22 -m state --state NEW -m r=
ecent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j D=
ROP
>=20
> After several weeks, ssh logins fail if they come from an IP address no=
t
> yet known to the ipt_recent module. Reboot helps.
>=20
> Rainer Schoepf
--=20
Horms
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
