Mailinglist Archive: opensuse (1632 mails)
|< Previous||Next >|
Re: [opensuse] dictionary attacks
- From: Richard Creighton <ricreig@xxxxxxxxx>
- Date: Tue, 17 Jul 2007 08:41:04 -0400
- Message-id: <469CB8E0.9060101@xxxxxxxxx>
John, you have been a tremendous amount of help. I am posting my reply
to the list as well as direct to you because your answer may be of
benefit to the list members and the question I pose may also be of
John Andersen wrote:
> On Tuesday 17 July 2007, Richard Creighton wrote:
>> I am wondering if you know if that is even close to your
>> recommendation....or should I try 60 instead of 120 or is that even an
>> equivilent field. Or like me, is that so obtuse that you too do not
>> the answer and would be guessing as did I when I tried to set it up
> If you look at the times
> Jul 17 00:38:27 raid5 sshd: Invalid user staff from 184.108.40.206
> Jul 17 00:38:32 raid5 sshd: Invalid user sales from 220.127.116.11
> Jul 17 00:38:37 raid5 sshd: Invalid user recruit from 18.104.22.168
> Jul 17 00:38:42 raid5 sshd: Invalid user alias from 22.214.171.124
> Jul 17 00:38:48 raid5 sshd: Invalid user office from 126.96.36.199
> Jul 17 00:38:53 raid5 sshd: Invalid user samba from 188.8.131.52
> You see that they are around 5 seconds beteeen each attempt.
> Therefore your 3 in 120 should have started blocking after the 4th
> But it didn't, that's why I think your firewall is not honoring this
> at all, which is what I mentioned in my first post.
> It is possible that your version of the kernel does not have "recent
> support turned on.
> This is a feature that not all kernels have. Explained here:
> To see if this is in your kernel type this as root in a shell
> iptables -m recent --help
> That should give a lot of help text which ends with
> " ipt_recent v0.3.1: Stephen Frost <sfrost@xxxxxxxxxxx>"
> If it says
> "Couldn't load match `recent' ..."
> then you don't have recent match installed.
This is what the last line says, once I found it in /usr/sbin as root:
ipt_recent v0.3.1: Stephen Frost <sfrost@xxxxxxxxxxx>.
I also found this when I dumped the contents of my IPTABLES with sudo
/usr/sbin/iptables -L > iptables.txt and extracted what I think
pertains to the settings I *used* to have. For some reason (maybe I
have to reboot ----nah, this is Linux but I must have to do something
I forgot) the settings didn't take. I used to have settings of 5 and
300 instead of 3 and 120 but the numbers stood out. I don't know where
the limit: avg 3/min burst setting comes in.
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 300
hit_count: 5 name: ssh side: source LOG level warning tcp-options
ip-options prefix `SFW2-INext-DROPr '
DROP tcp -- anywhere anywhere tcp dpt:ssh
state NEW recent: UPDATE seconds: 300 hit_count: 5 TTL-Match name: ssh
> But in any event, I don't believe its being honored.
What I'm wondering is if it *is* being honored as far as the hacker is
concerned, ie, he is not getting past the 'DROP', but because of the LOG
setting, I am still getting notice???? Does that seem plausible to you
and if so, can you think of a way to test it?
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
|< Previous||Next >|