On November Monday 24 2008, David C. Rankin scratched these words onto a coconut shell, hoping for an answer:
Carlos E. R. wrote:
On Monday, 2008-11-24 at 16:26 +0100, Verner Kjærsgaard wrote:
Hi list,
I qoute: "You can use the automated block mechanism included in susefirewall. Simply activate it."
...eh how, where? (:-))
Just search the answers to that email, it was explained at least twice.
-- Cheers, Carlos E. R.
Carlos -- Is this what you're referring to?
from Carlos <previously> at http://linux.derkeiler.com/Mailing-Lists/SuSE/2005-12/msg02391.html
<quote>
The Sunday 2005-12-25 at 23:17 +0200, Andre Truter wrote:
Why bother with the firewall, do it the easy way: sudo echo "PORT : IP_ADDY/NETMASK" >>/etc/hosts.deny && rcsshd restart done.
But won't this still cause my box to respond to their request - even to just say DENY?
Right.
I just tried the trick I mentioned the other day, making use of the "recent" module for iptables, and it works. It allows me to try six times in a minute, and the seventh it blocks me. It can be adjusted. This is what I see on the log for failed tries:
Dec 26 01:46:15 nimrodel kernel: SSH attack: IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:84:0a:8b:f5:08:00 SRC=192.168.100.1 DST=192.168.100.2 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=50094 DF PROTO=TCP SPT=1048 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
It is as follows; edit /etc/sysconfig/scripts/SuSEfirewall2-custom; search for function "fw_custom_before_antispoofing()" near the beginning. Insert this:
fw_custom_before_antispoofing() {
# Blocking ssh attacks iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
true }
Then reload the firewall with the command "SuSEfirewall2":
nimrodel:/etc/sysconfig/scripts # SuSEfirewall2 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom SuSEfirewall2: Firewall rules successfully set nimrodel:/etc/sysconfig/scripts #
I don't have a full time network connection, so I can't try this "out there", but I think it should work, it is easy and automatic, and efficient on the network, I suppose.
And, I know almost nothing about iptables, so I don't know if the rule is perfect; for example, I don't know whether ith should better be "DROP" instead of "REJECT"...
,snip> David, I think the program you asked about, which tied up the little dears for, well as long s the users wanted to, was a"quicksand" type of program, they tried to log into a computer that was basically a "honeypot" and found themselves stuck in the La Brea tarpit.. I think the program was actually called LaBrea Tarpit, or perhaps just tarpit. or something very like it. It is allegedly illegal to use in the US.. It "interferes" w/ someone else's use of their computer. It was years ago this program began.. nearly 10 yrs if my remembery mode is working at all. I never heard if the program or users ever got the thing in the courts, who would after some time issue a decision that would say it was or was not illegal to protect my computer, by making it so these little devils to pester folks, not to mention the illegality of what he was attempting to do, by connecting to my computer. <shrug> hope that helps someone -- j "Its like a song I can hear playing right in my ear That I cant sing I cant help listening" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org