On Sun, Mar 30, 2008 at 11:09:14AM +1300, Volker Kuhlmann wrote:
On Sun 30 Mar 2008 03:39:11 NZDT +1300, Per Jessen wrote:
If you're on a LAN, you don't really need a firewall, do you?
You're doing my trick: post well after bedtime.
I don't use the openSUSE firewall
That's where your problem starts getting big quickly.
, but setting up a rate-check is only 3 iptables entries.
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
You can't be seriously suggesting a non-tech user of opensuse employ this method. I am somewhat technically capable, but not stupid enough to roll my own iptables when SuSEfirewall2 does the trick (and with yast support and very good system integration), so the above will have to be integrated.
I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though and enabled by default with home-user / desktop-suitable limits. On all services which are liable to a bruteforce attack.
ratelimiting can be set in SUSEfirewall2. Default enabling it ... well, again triggers problems, because people might be fall into this trap due to legit use. CIao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org