Mailinglist Archive: opensuse (2459 mails)

< Previous Next >
Re: [opensuse] OpenSuse [10-3] SuSefirewall - protect sshd
  • From: "Otto Rodusek (AP-SGP)" <otto@xxxxxxxxxxxxxx>
  • Date: Tue, 11 Mar 2008 01:27:48 +0800
  • Message-id: <47D56F94.9050901@xxxxxxxxxxxxxx>
Adam Jimerson wrote:
On Monday 10 March 2008 09:10:22 am Patrick Shanahan wrote:

* Otto Rodusek (AP-SGP) <otto@xxxxxxxxxxxxxx> [03-10-08 04:16]:

I'm a bit confused with Susefirewall. I have had a number of robot
attacks against sshd so I set the following rule in SuSefirewall to
limit the number of allowable sshd logins per 60 second period:

look at the packages: fail2ban
denyhosts

http://download.opensuse.org/repositories/server:/monitoring/SUSE_Linux_10.
1 and
http://download.opensuse.org/repositories/network:/utilities/SUSE_Linux_10.



I use fail2ban and am happy with it, but have you also considered making your
rule through iptables? Not sure if SuSEfirewall acts as a front end for
iptables, but it can't help to give it a try.

Hi Adam,

You may be correct!! I did an iptables -L and grep'ed for hitcount and
didnt't find any!!! However based on Boyd's recommendation I added
manually the following:

iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -m recent --name
sshattack --set
iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60
--hitcount 3 -j LOG --log-prefix 'SSH attack: '
iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60
--hitcount 3 -j DROP

Now when I do and iptables -L I can see the the following:

tcp -- anywhere anywhere tcp
dpt:22 flags:FIN,SYN,RST,ACK/SYN recent: SET name: sshattack side: source
LOG all -- anywhere anywhere recent:
CHECK seconds: 60 hit_count: 3 name: sshattack side: source LOG level
warning prefix `SSH attack: '
DROP all -- anywhere anywhere recent:
CHECK seconds: 60 hit_count: 3 name: sshattack side: source
tcp -- anywhere anywhere tcp dpt:22
flags:FIN,SYN,RST,ACK/SYN recent: SET name: sshattack side: source
LOG all -- anywhere anywhere recent:
CHECK seconds: 60 hit_count: 3 name: sshattack side: source LOG level
warning prefix `SSH attack: '
DROP all -- anywhere anywhere recent:
CHECK seconds: 60 hit_count: 3 name: sshattack side: source

I'll monitor the logs and hope this solves it!! Thanks for your advice
and help. Rgds. Otto.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >