Remote ssh access

[gsnake]

ok. ÿ ïîëüçóþñü èëè vi èëè far äëÿ ðåäàêòèðîâàíèÿ post-xxx ôàéëîâ. òî åñòü ñåé÷àñ ìîé post-firewall âûãëÿäèò òàê

#!/bin/sh
iptables -I INPUT -p tcp --dport õõõõ -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i ! $3 -p tcp -m state --state NEW --dport õõõõ-m recent --set --name SSH_ATTACKER --rsource
iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport õõõõ -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP
logger '----iptables initialized----'

---------------------------------
Ïðèìå÷àíèå - ÕÕÕÕ ýòî ìîé ïîðò. 8080 òîæå îòêðûò âðåììåííî (íà âñÿêèé ïîæàðíûé)
----------------------------

iptables -L -vn

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   200 DROP       tcp  --  !br0   *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:XXXX recent: UPDATE seconds: 600 hit_count: 3 name: SSH_ATTACKER side: source 
  211 22258 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:8080 
  362 38177 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:XXXX 
    2   152 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID 
16208 1453K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
 1451 87060 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          state NEW 
 4658 1610K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          state NEW 
  441  159K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68 
   88 20114 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT 735 packets, 38292 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID 
 519K  479M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 DROP       all  --  !br0   vlan1   0.0.0.0/0            0.0.0.0/0          
   70  5462 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          ctstate DNAT 

Chain OUTPUT (policy ACCEPT 22838 packets, 3255K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain MACS (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain SECURITY (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x02 limit: avg 1/sec burst 5 
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp flags:0x17/0x04 limit: avg 1/sec burst 5 
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          limit: avg 5/sec burst 5 
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          limit: avg 5/sec burst 5 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW LOG flags 7 level 4 prefix `ACCEPT ' 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW LOG flags 7 level 4 prefix `DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

----

iptables -L -vnt nat

Code:

Chain PREROUTING (policy ACCEPT 1358 packets, 157K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   200            tcp  --  !br0   *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:XXXX recent: SET name: SSH_ATTACKER side: source 
  146 24959 VSERVER    all  --  *      *       0.0.0.0/0            99.238.7.36        

Chain POSTROUTING (policy ACCEPT 1576 packets, 96278 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  735 38292 MASQUERADE  all  --  *      vlan1  !99.238.7.36          0.0.0.0/0          
    5   956 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24     

Chain OUTPUT (policy ACCEPT 1532 packets, 92894 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   608 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:6881 to:192.168.1.196:6881 
   36  3732 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpt:6881 to:192.168.1.196:6881 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:31220 to:192.168.1.1:4662 
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpt:31220 to:192.168.1.1:4662

[Mam(O)n]

Ýòî ïîõîæå áàã. Ïîäðîáíîñòè ðàññêàæó ïîçæå.

çû. ×åðåç 600 ñåêóíä ïîñëå ñòàðòà ðîóòåðà âñå äîëæíî çàðàáîòàòü êàê íàäî.

[Mam(O)n]

 îáùåì ÿ äóìàþ, ÷òî ýòî ýòîò áàã òóò âîäó ìóòèò.

çû. ß ïîïûòàëñÿ ïåðåñîáðàòü ïðîøèâêó, èçìåíèâ êîä ñîãëàñíî ïðèëîæåííîìó ê òîé ñòàòüå ïàò÷ó, íî â ñâÿçè ñî ñâîèìè ñêðîìíûìè ïîçíàíèÿìè íàòêíóëñÿ â ðåçóëüòàòå íà "insmod: unresolved symbol get_seconds" ïðè ïîïûòêå çàãðóçèòü èñïðàâëåííûé ìîäóëü. Òàê ÷òî ïîäòâåðäèòü èëè îïðîâåðãíóòü âûäâèíóòóþ ìíîé ãèïîòåçó ÿ íå â ñîñòîÿíèè.

[Oleg]

Íàäî ïîèñêàòü ýêâèâàëåíò get_seconds â íàøåì ÿäðå...

[gsnake]

 îáùåì ÿ äóìàþ, ÷òî ýòî ýòîò áàã òóò âîäó ìóòèò.

çû. ß ïîïûòàëñÿ ïåðåñîáðàòü ïðîøèâêó, èçìåíèâ êîä ñîãëàñíî ïðèëîæåííîìó ê òîé ñòàòüå ïàò÷ó, íî â ñâÿçè ñî ñâîèìè ñêðîìíûìè ïîçíàíèÿìè íàòêíóëñÿ â ðåçóëüòàòå íà "insmod: unresolved symbol get_seconds" ïðè ïîïûòêå çàãðóçèòü èñïðàâëåííûé ìîäóëü. Òàê ÷òî ïîäòâåðäèòü èëè îïðîâåðãíóòü âûäâèíóòóþ ìíîé ãèïîòåçó ÿ íå â ñîñòîÿíèè.

íó åëêè-ïàëêè.. âñå íà÷àëîñü òàê òèõî-ìèðíî ñ îáû÷íîãî âîïðîñà à òåïåðü äîøëè è äî ÿäðà..
íó ìíå áû âàøè çíàíèÿ.. â ëþáîì ñëó÷àå - åùå ðàç ñïàñèáî çà ïîìîùü!

gsnake

[gsnake]

íó åëêè-ïàëêè.. âñå íà÷àëîñü òàê òèõî-ìèðíî ñ îáû÷íîãî âîïðîñà à òåïåðü äîøëè è äî ÿäðà..
íó ìíå áû âàøè çíàíèÿ.. â ëþáîì ñëó÷àå - åùå ðàç ñïàñèáî çà ïîìîùü!

gsnake

ß òàêæå îáðàòèë âíèìàíèå íà òî, ÷òî ñåãîäíÿ ïåðâûå 2 ïîïûòêè ëîãèíà áûëè óäà÷íûìè (áåç timeout) à âñå ïîñëåäóþùèå - c timeouts.. (äàæå åñëè ëîãèíèòüñÿ ïûòàëñÿ ñ äðóãèõ IP).

[Mam(O)n]

Íàäî ïîèñêàòü ýêâèâàëåíò get_seconds â íàøåì ÿäðå...

Íàøåë CURRENT_TIME åìó èìÿ.  îáùåì âûäðàë ÿ èç ÿäðà 2.4.35.3 ipt_recent.c è ipt_recent.h, íàëîæèë ïàò÷, ÷òî â òîé ñòàòüå áûë è ïðîáëåìà èñ÷åçëà. Íå çíàþ, ïðàâèëüíî ëè ÿ ñäåëàë, âçÿâ èç äðóãîé âåðñèè ÿäðà ýòè ôàéëû, íî ÷¸ðò âîçüìè ýòî ðàáîòàåò Ê òîìó æå, ñóäÿ ïî chanelog ÿäðà, â ipt_recent áûëè èñïðàâëåíû íåêîòîðûå îøèáêè ïîñëå âåðñèè 2.4.20.

Êòî õî÷åò, ìîæåò ïîïðîáîâàòü ïðèàòòà÷åííûé ìîäóëü ipt_recent.o. Åñëè ïîçâîëèò ìåñòî âî flashfs, òî ðàñïàêóéòå ôàéë .gz è çàïèøèòå ìîäóëü .o äîïóñòèì â /usr/local/lib è ñîõðàíèòå flashfs save && flashfs commit.  pre-boot ñîîòâåòñòâåííî ñòðîêà çàãðóçêè áóäåò òàêàÿ: insmod /usr/local/lib/ipt_recent.o

upd:
Äî ââîäà êîìàíäû flashfs commit, âî èçáåæàíèå íåäîðàçóìåíèé óáåäèòåñü, ÷òî ðàçìåð ïîëó÷åííîãî flashfs íå ïðåâûøàåò 64Ê. Äëÿ ýòîãî ïîñëå êîìàíäû flashfs save (è äî commit) îáðàòèòå âíèìàíèå íà ñòðîêó âèäà:

Code:

-rw-r--r-- 1 root root 10710 Nov 16 15:24 /tmp/flash.tar.gz
Check saved image and type "/sbin/flashfs commit" to commit changes

ãäå çíà÷åíèå, âûäåëåííîå êðàñíûì íå äîëæíî ïðåâûøàòü 65535. Åñëè çíà÷åíèå ïðåâûøàåò ìàêñèìàëüíûé ðàçìåð, òî îòêàæèòåñü îò äàííîé çàòåè, ÍÅ äåëàéòå flashfs commit è óäàëèòå /usr/local/lib/ipt_recent.o.

upd2:
Ìîæíî òàêæå åãî ñëèòü ñ ôîðóìà ñðåäñòâàìè ðîóòåðà:

Code:

mkdir /usr/local/lib
wget 'http://wl500g.info/attachment.php?attachmentid=2005&d=1195170790' -O - | gzip -d > /usr/local/lib/ipt_recent.o

Ïîñëå òîëüêî íå çàáóäüòå ïðîâåðèòü ïîëó÷åííûé ðàçìåð ñ ïîìîùüþ ls -la /usr/local/lib/ipt_recent.o, îí äîëæåí áûòü ðàâåí 14900 áàéò.

Code:

-rw-r--r-- 1 root root 14900 Nov 16 01:03 /usr/local/lib/ipt_recent.o

[gsnake]

Íàøåë CURRENT_TIME åìó èìÿ.  îáùåì âûäðàë ÿ èç ÿäðà 2.4.35.3 ipt_recent.c è ipt_recent.h, íàëîæèë ïàò÷, ÷òî â òîé ñòàòüå áûë è ïðîáëåìà èñ÷åçëà. Íå çíàþ, ïðàâèëüíî ëè ÿ ñäåëàë, âçÿâ èç äðóãîé âåðñèè ÿäðà ýòè ôàéëû, íî ÷¸ðò âîçüìè ýòî ðàáîòàåò Ê òîìó æå, ñóäÿ ïî chanelog ÿäðà, â ipt_recent áûëè èñïðàâëåíû íåêîòîðûå îøèáêè ïîñëå âåðñèè 2.4.20.

Êòî õî÷åò, ìîæåò ïîïðîáîâàòü ïðèàòòà÷åííûé ìîäóëü ipt_recent.o. Åñëè ïîçâîëèò ìåñòî âî flashfs, òî ðàñïàêóéòå ôàéë .gz è çàïèøèòå ìîäóëü .o äîïóñòèì â /usr/local/lib è ñîõðàíèòå flashfs save && flashfs commit.  pre-boot ñîîòâåòñòâåííî ñòðîêà çàãðóçêè áóäåò òàêàÿ: insmod /usr/local/lib/ipt_recent.o

Êðóòî! Íàäî ïîïðîáîâàòü. Ñòîèò ëè óïîìÿíóòü î òîì, ÷òî ìîé ðîóòåð íå î÷åíü äðóæèò ñ òåêóùåì âðåìåíåì.. Âîò ÷òî ÿ âèæó â ëîãå...

Dec 31 13:00:17 kernel: FAT: bogus logical sector size 20487
Dec 31 13:00:17 kernel: VFS: Can't find a valid FAT filesystem on dev 08:00.
Nov 15 09:24:06 ntp client: Synchronizing time with time.nist.gov ...
Nov 15 09:26:48 dnsmasq[81]: DHCPDISCOVER(br0) 00:02:72:5a:2f:e5

È òî è äðóãîå íåâåðíî - íè 31 äåêàáðÿ íè 15 íîÿáðÿ â 9 ÷àñîâ..

gsnake

[al37919]

Ìèíóòû òî ïðàâèëüíûå --- à ÷òîáû ÷àñû áûëè ïðàâèëüíûìè íàäî âûñòàâëÿòü êîððåêòíóþ timezone â âåá-ÈÔ. ntp ñåðâåð ëó÷øå ñòàâèòü pool.ntp.org èëè ru.pool.ntp.org , õîòÿ åñëè ñ nist óñïåøíî ñîåäèíÿåòñÿ, òî ýòî íè÷åãî íå èçìåíèò.

Âïðî÷åì, äëÿ ipt_recent àáñîëþòíîå âðåìÿ íåâàæíî. Åìó íóæíû òîëüêî îòíîñèòåëüíûå èíòåðâàëû.

P.S. Ïðèêîëüíî --- äåéñòâèòåëüíî ðàáîòàåò (ïî êðàéíåé ìåðå ìåíÿ áàíèò). Ìîãó äîáàâèòü ïàðó íàáëþäåíèé, óòî÷íÿþùèõ ïîâåäåíèå ýòîé ôè÷è:
1) Çàïðåò ïðîèñõîäèò íåçàâèñèìî îò óñïåøíîñòè/íåóñïåøíîñòè ëîãèíà.
2) Åñëè --hitcount çàäàí 3, òî äâå ïîïûòêè ïðîïóñêàþòñÿ òðåòüÿ áàíèòñÿ.
3) Ïîñêîëüêó â ïðèâåäåííîì ïðèìåðå èñïîëüçóåòñÿ ïàðàìåòð --update, òî ïîñëå òðåòüåé ïîïûòêè áóäåò áàíèòüñÿ ëþáûå äàëüíåéøèå ïîïûòêè â òå÷åíèå 600 ñåêóíä ïîñëå ïîñëåäíåé ïîïûòêè ñ ýòîãî IP. Äëÿ ñìÿã÷åíèÿ ýòîãî äîâîëüíî æåñòêîãî ïðàâèëà ìîæíî âìåñòî --update çàäàòü --rcheck, òîãäà âðåìÿ äåéñòâèÿ áàíà îòñ÷èòûâàåòñÿ îò ïåðâîé ïîïûòêè èç òðåõ. ( http://www.snowman.net/projects/ipt_recent/ )

Ïîëàãàþ, ÷òî ýòîò --hitcount ìîæíî óâåëè÷èòü ãäå-òî äî 6, èëè äàæå äî 11, ÷òîáû íå äàé áîã íå îáèäåòü ñåáÿ ëþáèìîãî . À òî âåäü èíîé ðàç è ñàì ïàðîëü ïåðåïóòàåøü, à ñ äðóãîé ñòðîðíû èíîãäà óäîáíî îðãàíèçîâàòü íå îäíó ñåññèþ.

À íåò ëè âîçìîæíîñòè ñîñòàâèòü áåëûé ñïèñîê àäðåñîâ, íà êîòîðûé äàííûå ïðàâèëà íå ðàñïðîñòðàíÿþòñÿ?

[Mam(O)n]

Âïðî÷åì, äëÿ ipt_recent àáñîëþòíîå âðåìÿ íåâàæíî.

Íåâàæíî, åñëè òîëüêî îíî íå áëèçêîå ê 1970-01-01 00:00:00 UTC, ÷òî äëÿ ìíîé ïðîïàò÷åííîãî ipt_recent ÿâëÿåòñÿ íóë¸ì ñî âñåìè âûòåêàþùèìè. ×òîáû ýòîãî èçáåæàòü â post-boot(èëè äàæå ëó÷øå â pre-boot) ìîæíî âñòàâèòü äîïóñòèì date 010101012000. Ýòî ïîìîæåò ïðîïàò÷åííîìó, íî íå ïîìîæåò îðèãèíàëüíîìó ipt_recent.  îðèãèíàëüíîì âåäåòñÿ ñîáñòâåííûé îòñ÷åò, íå çàâèñÿùèé îò ñèñòåìíîãî âðåìåíè.

upd

À íåò ëè âîçìîæíîñòè ñîñòàâèòü áåëûé ñïèñîê àäðåñîâ, íà êîòîðûé äàííûå ïðàâèëà íå ðàñïðîñòðàíÿþòñÿ?

Íó à êàêæå. Ïåðåä äðîïàþùèì ïðàâèëîì â INPUT ìîæíî âñòàâèòü ïðàâèëî ACCEPT ñ èñòî÷íèêîì ip=íóæíîìó àäðåñó. Äîïóñòèì, íà ïðèìåðå ìîåãî post-firewall:

Code:

#!/bin/sh
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set --name SSH_ATTACKER --rsource
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 600 --hitcount 6 --name SSH_ATTACKER --rsource -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

[gsnake]

Íåâàæíî, åñëè òîëüêî îíî íå áëèçêîå ê 1970-01-01 00:00:00 UTC, ÷òî äëÿ ìíîé ïðîïàò÷åííîãî ipt_recent ÿâëÿåòñÿ íóë¸ì ñî âñåìè âûòåêàþùèìè. ×òîáû ýòîãî èçáåæàòü â post-boot ìîæíî âñòàâèòü äîïóñòèì date 010101012000. Ýòî ïîìîæåò ïðîïàò÷åííîìó, íî íå ïîìîæåò îðèãèíàëüíîìó ipt_recent.  îðèãèíàëüíîì âåäåòñÿ ñîáñòâåííûé îòñ÷åò, íå çàâèñÿùèé îò ñèñòåìíîãî âðåìåíè.

upd


Íó à êàêæå. Ïåðåä äðîïàþùèì ïðàâèëîì â INPUT ìîæíî âñòàâèòü ïðàâèëî ACCEPT ñ èñòî÷íèêîì ip=íóæíîìó àäðåñó. Äîïóñòèì, íà ïðèìåðå ìîåãî post-firewall:

Code:

#!/bin/sh
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set --name SSH_ATTACKER --rsource
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 600 --hitcount 6 --name SSH_ATTACKER --rsource -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

- А зачем тогда PREROUTING используется? Если я запускаю dropbear на порту 8080 могу ли я использовать твой post-firewall (заменив соответственно 22 на 8080)? Или обязательно PREROUTING нужен?
- Кстати как часовой пояс правильно выставил все стало работать лучше (как описано у al37919 ). до этого было не 600 секунд а гораздо больше...

[Mam(O)n]

Åñëè ÿ çàïóñêàþ dropbear íà ïîðòó 8080 ìîãó ëè ÿ èñïîëüçîâàòü òâîé post-firewall (çàìåíèâ ñîîòâåòñòâåííî 22 íà 8080)?

Äà .

[gsnake]

Äà .

поменял - теперь пускает сколько хочешь.. =)

#!/bin/sh
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -m recent --set --name SSH_ATTACKER --rsource
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -m recent --update --seconds 600 --hitcount 6 --name SSH_ATTACKER --rsource -j DROP
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT

[Mam(O)n]

Âíèìàòåëüíåå, òîâàðèùè
#!/bin/sh
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -m recent --set --name SSH_ATTACKER --rsource
iptables -A INPUT -p tcp -m state --state NEW --dport 8080 -m recent --update --seconds 600 --hitcount 6 --name SSH_ATTACKER --rsource -j DROP
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

[al37919]

O, âîò òåïåðü ïîëó÷èëñÿ ëþáèìûé ìíîé âàðèàíò, êîãäà ìîæíî ñïîêîéíî äîáàâëÿòü ïðàâèëà ñ ïîìîùüþ -A è íå íóæíî ìîíèòîð ïåðåâîðà÷èâàòü ââåðõ íîãàìè, ÷òîáû ïîñìîòðåòü â êàêîì ïîðÿäêå îíè áóäóò âûïîëíÿòüñÿ.

À åñëè ñåðüåçíî, òî âñåãäà íàäî ïðîâåðÿòü ðåçóëüòàò ñ ïîìîùüþ iptables -L [-t nat]

À åñëè ñîâñåì ïî òåìå, òî òàáëèöà ïîñòåïåííî çàïîëíÿåòñÿ. Ýòà øòóêà ðàáîòàåò ÷àñà 4, à â SSH_ATTACKER óæå 3 çàïèñè âêëþ÷àÿ ìîé òåñò. Àïòàéì ê äàííîìó ìîìåíòó 11 äíåé è íàäåþñü, ÷òî äî ñâîåãî âîçâðàùåíèÿ èç êîìàíäèðîâêè îí äîéäåò ãäå-íèáóäü äíåé äî 40. Ñêîëüêî æå çàïèñåé áóäåò â ýòîé òàáëèöå è ïî÷åìó íå óäàëÿþòñÿ áåñïîëåçíûå çàïèñè (òå, ñðîê äàâíîñòè ïî êîòîðûì óæå âûøåë). Âåäü åñëè ãîñòü ñ ýòîãî æå àäðåñà çàãëÿíåò åùå ðàçîê, òî îí áóäåò äîáàâëåí ñ íóëÿ áåç ïðîáëåì. À âåäü ãäå-òî ýòî äîëæíî õðàíèòüñÿ, äà è ïðîâåðêà èäòè ïî âñåì àäðåñàì --- ëèøíèå íàêëàäíûå ðàñõîäû. Íåò ëè òàì âàðèàíòà ñàìîî÷èñòêè îò áåñïîëåçíîé èíôîðìàöèè. Èëè ýòà òàáëèöà èç ñåáÿ ÷òî òî âðîäå ëîãà ïðåäñòàâëÿåò?

P.S. Íó äà ÿ ïîíÿë, ïî êðàéíåé ìåðå äëÿ ADSL ñîåäèíåíèÿ òàêàÿ ïðîáëåìà íå ñóùåñòâóåò, ò.ê. ïðè åæåñóòî÷íîì ðàçðûâå ñîåäèíåíèÿ iptables ïåðåçàïóñêàþòñÿ.