Carlos E. R. wrote:
On Monday, 2008-11-24 at 16:26 +0100, Verner Kjærsgaard wrote:
Hi list,
I qoute: "You can use the automated block mechanism included in susefirewall. Simply activate it."
...eh how, where? (:-))
Just search the answers to that email, it was explained at least twice.
-- Cheers, Carlos E. R.
Carlos -- Is this what you're referring to? from Carlos <previously> at http://linux.derkeiler.com/Mailing-Lists/SuSE/2005-12/msg02391.html <quote> The Sunday 2005-12-25 at 23:17 +0200, Andre Truter wrote:
Why bother with the firewall, do it the easy way: sudo echo "PORT : IP_ADDY/NETMASK" >>/etc/hosts.deny && rcsshd restart done.
But won't this still cause my box to respond to their request - even to just say DENY?
Right. I just tried the trick I mentioned the other day, making use of the "recent" module for iptables, and it works. It allows me to try six times in a minute, and the seventh it blocks me. It can be adjusted. This is what I see on the log for failed tries: Dec 26 01:46:15 nimrodel kernel: SSH attack: IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:84:0a:8b:f5:08:00 SRC=192.168.100.1 DST=192.168.100.2 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=50094 DF PROTO=TCP SPT=1048 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 It is as follows; edit /etc/sysconfig/scripts/SuSEfirewall2-custom; search for function "fw_custom_before_antispoofing()" near the beginning. Insert this: fw_custom_before_antispoofing() { # Blocking ssh attacks iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT true } Then reload the firewall with the command "SuSEfirewall2": nimrodel:/etc/sysconfig/scripts # SuSEfirewall2 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom SuSEfirewall2: Firewall rules successfully set nimrodel:/etc/sysconfig/scripts # I don't have a full time network connection, so I can't try this "out there", but I think it should work, it is easy and automatic, and efficient on the network, I suppose. And, I know almost nothing about iptables, so I don't know if the rule is perfect; for example, I don't know whether ith should better be "DROP" instead of "REJECT"... - -- Cheers, Carlos Robinson </quote> -- David C. Rankin, J.D.,P.E. | openSoftware und SystemEntwicklung Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 www.rankinlawfirm.com | http://counter.opensuse.org/11.1/small -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org