Mailinglist Archive: opensuse (1620 mails)

< Previous Next >
Re: [opensuse] Susefirewall limit connections
On 16/11/14 21:45, Carlos E. R. wrote:
On 2014-11-16 10:25, Otto Rodusek wrote:
On 16/11/14 13:17, Andrei Borzenkov wrote:
But are those connection requests dropped? I.e. your question is about
your rules that do not work or about how to prevent these
dropped connection attempts from being logged?

Hi Andrei,

Thanks for the feedback.

The logging is not a problem, the problem is that the iptables command
doesn't seem to do what I thought it was supposed to do.
Actually, it is.

Here is an
example from my log file (there are LOTS of lines over several hours!!).

I was hoping that the iptables command would limit the number of
attempts and finally lock out that IP once exceeded,
Not unless you explicitly tell it to do so.

but obviously it
doesn't as the particular IP address has done this over several days
over several hours!!

2014-11-08T21:04:52.851384+08:00 bunyip kernel: [3536575.813776]
MAC=b8:ac:6f:80:12:a5:40:16:7e:a0:df:e5:08:00 SRC=
DST= LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=38562 DF PROTO=TCP
SPT=47964 DPT=5901 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
Notice that the connection is accepted on the firewall, not rejected.
The log is only telling you that.

And as it is accepted, it can never block it.

This port could be used by some local program of yours. It is also
reported as used by some trojans.

RFB uses it:

«RFB (“remote framebuffer”) is a simple protocol for remote access to
graphical user interfaces. Because it works at the framebuffer level it
is applicable to all windowing systems and applications, including
Microsoft Windows, Mac OS X and the X Window System. RFB is the protocol
used in Virtual Network Computing (VNC) and its derivatives.»

You simply have to close all (high) ports. Or set up a connection limit
on that port.

(The attacking site is a hosting site in France, if that tells you

Hi Carlos,

Thanks for your feedback.

Yep, most of my ports are disabled - however I use 10022 (ssh) and 5901-5906 are VM servers that my users need to access from outside.

From the logs (I get a LOT from France, Belgium and mostly China) I am assuming that it is a robot dictionary or brute force attack to get the password. That's why I want the Firewall to be "unforgiving", let you try 5 times in 60 seconds and if you (IP) fails then permanently block that IP. From reading "iptables" I though that's what I was doing but from the log obviously not!!

I think I need to try what Marcus suggested and check with the -v option and see what's happening. (Actually I was hoping that someone on the list had already gone thru this and had the exact syntax for what I need!!).

Again thanks. Best regards. Otto.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups