Mailinglist Archive: opensuse (1620 mails)

< Previous Next >
Re: [opensuse] Susefirewall limit connections
The tool fail2ban is designed for that. fail2bal watches logfiles and
you can define limits and actions. Builtin actions are locking out via
iptables or tcpwrapper. The iptables lockout works with SuSEfirewall.




On 11/16/2014 04:37 AM, Otto Rodusek wrote:
Hi ListMates,

I have a large number of attacks on my customer's ports (10022, 5901,
5904) running OpenSuse 13.1 x64.

Basically I would like the firewall to allow no more than 5 attempts per
60 second period (or 1 attempt per 12 seconds), after which I would like
the firewall to PERMENANTLY LOCK out the attempting IP. I'm not sure
whether this can be done via the SuseFirewall or whether I need to write
a script to do it.

I have tried a couple methods with the following script BUT I still get
several (thousands) attempts in my firewall logs.

Any suggestions?

Thanks and best regards. Otto.

---------Start of bash script-----------
#!/bin/bash

#####command to use
IPT=/usr/sbin/iptables

#####Max connection in seconds
SECONDS=60

#####Max connections per IP
BLOCKCOUNT=5

#####default action can be DROP or REJECT
DACTION="DROP"

#####default port to monitor (if not input)
PORT=10022

if [ $# = 1 ]
then
PORT=$1
fi

#####method 1
$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
--set --name rule${PORT}
$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
--update --name rule${PORT} \
--seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}

#####method 2
#$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set
#
#$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
--rcheck \
# --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j REJECT
--reject-with icmp-port-unreachable

---------End of bash script-----------



< Previous Next >
References