Mailinglist Archive: opensuse-factory (626 mails)

[Marcus Meissner <meissner@xxxxxxx>]

On Sun, Mar 30, 2008 at 11:09:14AM +1300, Volker Kuhlmann wrote:
> On Sun 30 Mar 2008 03:39:11 NZDT +1300, Per Jessen wrote:
>
> > If you're on a LAN, you don't really need a firewall, do you?
>
> You're doing my trick: post well after bedtime.
>
> > I don't use the openSUSE firewall
>
> That's where your problem starts getting big quickly.
>
> > , but setting up a rate-check is only 
> > 3 iptables entries. 
> >
> > iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> > iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack 
> > --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
> > iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack 
> > --update --seconds 60 --hitcount 6 -j REJECT
>
> You can't be seriously suggesting a non-tech user of opensuse employ
> this method. I am somewhat technically capable, but not stupid enough to
> roll my own iptables when SuSEfirewall2 does the trick (and with yast
> support and very good system integration), so the above will have to be
> integrated.
>
> I would like to suggest that rate limiting like the above be added to
> SuSEfirewall2 though and enabled by default with home-user /
> desktop-suitable limits. On all services which are liable to a
> bruteforce attack.

ratelimiting can be set in SUSEfirewall2.

Default enabling it ... well, again triggers problems, because people
might be fall into this trap due to legit use.

CIao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx