Mailinglist Archive: opensuse-security (36 mails)
| < Previous | Next > |
Re: [opensuse-security] SuSefirewall - protect sshd
- From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
- Date: Mon, 10 Mar 2008 23:53:08 +0100 (CET)
- Message-id: <alpine.LSU.1.00.0803102135330.6321@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Monday 2008-03-10 at 17:21 +0100, Ludwig Nussel wrote:
There is a problem. I tried to set that line on my system, and on firewall reload I get an error:
nimrodel:~ # SuSEfirewall2
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
SuSEfirewall2: Warning: no default firewall zone defined, assuming 'ext'
SuSEfirewall2: Firewall customary rules loaded from
/etc/sysconfig/scripts/SuSEfirewall2-custom
SuSEfirewall2: batch committing...
SuSEfirewall2: Firewall rules successfully set
nimrodel:~ # jstar /etc/sysconfig/SuSEfirewall2
nimrodel:~ # SuSEfirewall2
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
SuSEfirewall2: Warning: no default firewall zone defined, assuming 'ext'
SuSEfirewall2: Firewall customary rules loaded from
/etc/sysconfig/scripts/SuSEfirewall2-custom
SuSEfirewall2: batch committing...
ip6tables-batch v1.3.8: Couldn't load match
`recent':/usr/lib/iptables/libip6t_recent.so: cannot open shared object file:
No such file or directory
Try `ip6tables-batch -h' or 'ip6tables-batch --help' for more information.
SuSEfirewall2: Error: ip6tables-batch failed, re-running using ip6tables
ip6tables v1.3.8: Couldn't load match
`recent':/usr/lib/iptables/libip6t_recent.so: cannot open shared object file:
No such file or directory
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.3.8: Couldn't load match
`recent':/usr/lib/iptables/libip6t_recent.so: cannot open shared object file:
No such file or directory
Try `ip6tables -h' or 'ip6tables --help' for more information.
SuSEfirewall2: Firewall rules successfully set
nimrodel:~ # locate libip6t_recent
nimrodel:~ # uname -a
Linux nimrodel 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC i686 i686
i386 GNU/Linux
If "libip6t_recent.so" is missing from the kernel, it won't work, no? Or is that only for ip version 6?
Anyway, running "SuSEfirewall2 status" here shows:
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match
name: ssh side: source
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW recent: SET name: ssh side: source
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
His output is not the same as mine:
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60
hit_count: 3 name: ssh side: source LOG flags 6 level 4 prefix
`SFW2-INext-DROPr '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match
name: ssh side: source
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4
prefix `SFW2-INext-ACC '
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW recent: SET name: ssh side: source
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
Whatever it is, it doesn't work. I tried it login from another computer on my network (external interface), and I see the connections without the firewall clossing it.
Mar 10 23:39:17 nimrodel sshd[26164]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:20 nimrodel sshd[26164]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:20 nimrodel sshd[26164]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:26 nimrodel sshd[26169]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:29 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:29 nimrodel sshd[26174]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:33 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:33 nimrodel sshd[26179]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:36 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:36 nimrodel sshd[26184]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:39 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:39 nimrodel sshd[26189]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:42 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:42 nimrodel sshd[26194]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:45 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:45 nimrodel sshd[26199]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:49 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:49 nimrodel sshd[26204]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:52 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:52 nimrodel sshd[26209]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:40:18 nimrodel syslog-ng[3792]: last message repeated 2 times
All in the same minute, and the firewall doesn't act.
Looking at the output of iptables I see:
nimrodel:~ # iptables --list --verbose | grep "recent\|\:22"
13 780 ACCEPT tcp -- any any telperion.valinor anywhere
state NEW,RELATED,ESTABLISHED tcp dpt:22
0 0 ACCEPT tcp -- any any dyna1.valinor anywhere
state NEW,RELATED,ESTABLISHED tcp dpt:22
0 0 DROP tcp -- any any anywhere anywhere
tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match
name: ssh side: source
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:22 state NEW recent: SET name: ssh side: source
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:22 nimrodel:~ #
- -- Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFH1bvctTMYHG2NR9URAi1FAJ4k2QYEIZA0fyQwXWqgECqyeTz+5ACdFmma
ryzkfq8btbB4YnTNhLmgZOA=
=hD/s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
Hash: SHA1
The Monday 2008-03-10 at 17:21 +0100, Ludwig Nussel wrote:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Provided that your network interface is in the external zone this
should work fine.
There is a problem. I tried to set that line on my system, and on firewall reload I get an error:
nimrodel:~ # SuSEfirewall2
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
SuSEfirewall2: Warning: no default firewall zone defined, assuming 'ext'
SuSEfirewall2: Firewall customary rules loaded from
/etc/sysconfig/scripts/SuSEfirewall2-custom
SuSEfirewall2: batch committing...
SuSEfirewall2: Firewall rules successfully set
nimrodel:~ # jstar /etc/sysconfig/SuSEfirewall2
nimrodel:~ # SuSEfirewall2
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
SuSEfirewall2: Warning: no default firewall zone defined, assuming 'ext'
SuSEfirewall2: Firewall customary rules loaded from
/etc/sysconfig/scripts/SuSEfirewall2-custom
SuSEfirewall2: batch committing...
ip6tables-batch v1.3.8: Couldn't load match
`recent':/usr/lib/iptables/libip6t_recent.so: cannot open shared object file:
No such file or directory
Try `ip6tables-batch -h' or 'ip6tables-batch --help' for more information.
SuSEfirewall2: Error: ip6tables-batch failed, re-running using ip6tables
ip6tables v1.3.8: Couldn't load match
`recent':/usr/lib/iptables/libip6t_recent.so: cannot open shared object file:
No such file or directory
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.3.8: Couldn't load match
`recent':/usr/lib/iptables/libip6t_recent.so: cannot open shared object file:
No such file or directory
Try `ip6tables -h' or 'ip6tables --help' for more information.
SuSEfirewall2: Firewall rules successfully set
nimrodel:~ # locate libip6t_recent
nimrodel:~ # uname -a
Linux nimrodel 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC i686 i686
i386 GNU/Linux
If "libip6t_recent.so" is missing from the kernel, it won't work, no? Or is that only for ip version 6?
Anyway, running "SuSEfirewall2 status" here shows:
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match
name: ssh side: source
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW recent: SET name: ssh side: source
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
His output is not the same as mine:
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60
hit_count: 3 name: ssh side: source LOG flags 6 level 4 prefix
`SFW2-INext-DROPr '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match
name: ssh side: source
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4
prefix `SFW2-INext-ACC '
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW recent: SET name: ssh side: source
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
Whatever it is, it doesn't work. I tried it login from another computer on my network (external interface), and I see the connections without the firewall clossing it.
Mar 10 23:39:17 nimrodel sshd[26164]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:20 nimrodel sshd[26164]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:20 nimrodel sshd[26164]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:26 nimrodel sshd[26169]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:29 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:29 nimrodel sshd[26174]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:33 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:33 nimrodel sshd[26179]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:36 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:36 nimrodel sshd[26184]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:39 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:39 nimrodel sshd[26189]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:42 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:42 nimrodel sshd[26194]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:45 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:45 nimrodel sshd[26199]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:49 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:49 nimrodel sshd[26204]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:39:52 nimrodel syslog-ng[3792]: last message repeated 2 times
Mar 10 23:39:52 nimrodel sshd[26209]: error: PAM: User not known to the
underlying authentication module for illegal user pepon from telperion.valinor
Mar 10 23:40:18 nimrodel syslog-ng[3792]: last message repeated 2 times
All in the same minute, and the firewall doesn't act.
Looking at the output of iptables I see:
nimrodel:~ # iptables --list --verbose | grep "recent\|\:22"
13 780 ACCEPT tcp -- any any telperion.valinor anywhere
state NEW,RELATED,ESTABLISHED tcp dpt:22
0 0 ACCEPT tcp -- any any dyna1.valinor anywhere
state NEW,RELATED,ESTABLISHED tcp dpt:22
0 0 DROP tcp -- any any anywhere anywhere
tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match
name: ssh side: source
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:22 state NEW recent: SET name: ssh side: source
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:22 nimrodel:~ #
- -- Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFH1bvctTMYHG2NR9URAi1FAJ4k2QYEIZA0fyQwXWqgECqyeTz+5ACdFmma
ryzkfq8btbB4YnTNhLmgZOA=
=hD/s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
| < Previous | Next > |