My question is about iptables when using the "recent" module. I am mostly interested in the "rcheck" and "update" options.
Example:
---------------
Someone tries to open a 1st SSH connection to my server. Then 45 after seconds a 2nd connection. Then 45 seconds later a 3rd connection. All from the same IP of course.
If I am using:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name testssh --rsource
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name testssh --rcheck --seconds 60 --hitcount 3 --rsource -j DROP
All three connections should succeed because "rcheck" will always remove the IP from the "testssh" list 60 seconds after the very 1st attempt was made. So the 3rd attempt (which comes after 90 seconds: 45 secs x 2) will not be blocked since the IP is not in the list anymore.
In this case "hitcount" will not exceed the value of 2.
Now, if I am using:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name testssh --rsource
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name testssh --update --seconds 60 --hitcount 3 --rsource -j DROP
The 3rd connection should fail because "update" will check incoming packets (which by the way are 45 seconds apart in this case) and, if their IP is already in the "testssh" list then the 60 second window (timestamp) would get reset and start over again.
In this case "hitcount" would effectively reach the value of 3.
I made sure "MaxAuthTries" in "sshd_config" was set to 6 and I also stopped the "fail2ban" service to make sure they wouldn't interfere with the testing process.
I then set the "rcheck" rule as described above and, to my surprise, I wasn't able to connect the 3rd time. How come ? Shouldn't that only be the case with the "update" option ?