Mailinglist Archive: opensuse (1620 mails)

< Previous Next >
Re: [opensuse] Susefirewall limit connections
On 2014-11-16 10:25, Otto Rodusek wrote:
On 16/11/14 13:17, Andrei Borzenkov wrote:

But are those connection requests dropped? I.e. your question is about
your rules that do not work or about how to prevent these
dropped connection attempts from being logged?

Hi Andrei,

Thanks for the feedback.

The logging is not a problem, the problem is that the iptables command
doesn't seem to do what I thought it was supposed to do.

Actually, it is.

Here is an
example from my log file (there are LOTS of lines over several hours!!).

So?

I was hoping that the iptables command would limit the number of
attempts and finally lock out that IP once exceeded,

Not unless you explicitly tell it to do so.

but obviously it
doesn't as the particular IP address has done this over several days
over several hours!!

2014-11-08T21:04:52.851384+08:00 bunyip kernel: [3536575.813776]
SFW2-INext-ACC-TCP IN=eth0 OUT=
MAC=b8:ac:6f:80:12:a5:40:16:7e:a0:df:e5:08:00 SRC=212.83.177.15
DST=192.168.19.1 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=38562 DF PROTO=TCP
SPT=47964 DPT=5901 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
(020405B40402080A000666B30000000001030307)

Notice that the connection is accepted on the firewall, not rejected.
The log is only telling you that.

And as it is accepted, it can never block it.

This port could be used by some local program of yours. It is also
reported as used by some trojans.

RFB uses it:

http://en.wikipedia.org/wiki/RFB_protocol

«RFB (“remote framebuffer”) is a simple protocol for remote access to
graphical user interfaces. Because it works at the framebuffer level it
is applicable to all windowing systems and applications, including
Microsoft Windows, Mac OS X and the X Window System. RFB is the protocol
used in Virtual Network Computing (VNC) and its derivatives.»

You simply have to close all (high) ports. Or set up a connection limit
on that port.


(The attacking site is a hosting site in France, if that tells you
something)

--
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 "Bottle" at Telcontar)

< Previous Next >
Follow Ups