Op 21-02-11 12:50, Alexander Clouter schreef:
Be careful as you are possibly opening yourself up to a DoS; for the v6 case. Most attackers will be able to move through their local /64 which might cause problems when using recent directly, might be worth combining it with hashlimit too.
Thanks for the useful addition. Yes, we did realise that you can get IPv6/48 netblocks for free, meaning a million billion billion IP addresses, meaning you could use a new source address for every single attempt and still have some left for all the square centimeters of your part of the earth. Fortunately, the xt_recent module is quite limiting in itself: the "ip_list_tot" is 100, meaning there won't be more than 100 IP addresses in the list. And please note, that IPv4 and IPv6 are mixed here, so it's 100 addresses total. All in all, this method won't work when IPv6 attacks become more widely used and more sophisticated (using a new IP address for every connection); it would just slowly flush the list. However, I haven't seen such a connection for now, so at the moment, you would be safe by looking at the "block" log file once in a while. (With a script or so ;-) Best regards, Valentijn