Volker Kuhlmann wrote:
On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.
This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess).
If you're on a LAN, you don't really need a firewall, do you?
Even then there is probably still a rate-check to stop brute force attacks.
Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that.
I don't use the openSUSE firewall, but setting up a rate-check is only 3 iptables entries. iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT This one rejects anyone with 6 login attempts within 60 seconds. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org