[Bug 421806] New: Limiting ssh access to 3 per minute limits it to 1 per undefined time period
https://bugzilla.novell.com/show_bug.cgi?id=421806 Summary: Limiting ssh access to 3 per minute limits it to 1 per undefined time period Product: openSUSE 11.0 Version: Final Platform: 64bit OS/Version: openSUSE 11.0 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: f.de.kruijf@hetnet.nl QAContact: qa@suse.de Found By: --- I have in the file /etc/sysconfig/SuSEfirewall2 the line: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" as is suggested in this file. This used to work rather well in openSUSE 10.3. However in openSUSE 11.0 this blocks port 22 (ssh), at least for a long time, after being able to login ones. After that I have to restart the firewall to be able to login again with ssh. But from one IP-address only ones. There is also no message in /var/log/firewall that the connection has been rejected. Wireshark shows that the SYN package is coming in. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421806 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421806#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |f.de.kruijf@hetnet.nl --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2008-09-01 01:19:37 MDT --- please attach the output of "SuSEfirewall2 status". you may also try using 0.0.0.0/0 instead of 0/0 in order to install the rule for ipv4 only (doesn't work for ipv6 anyways and produces an error message). Also make sure to use ipv4 to connect to the firewalled host (ssh -4 ...). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421806 User f.de.kruijf@hetnet.nl added comment https://bugzilla.novell.com/show_bug.cgi?id=421806#c2 Freek de Kruijf <f.de.kruijf@hetnet.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|f.de.kruijf@hetnet.nl | --- Comment #2 from Freek de Kruijf <f.de.kruijf@hetnet.nl> 2008-09-01 03:03:57 MDT --- Created an attachment (id=236500) --> (https://bugzilla.novell.com/attachment.cgi?id=236500) Output of SuSEfirewall2 status I have "Enable IPv6" unchecked in YaST->Network Devices->Network Settings->Global Options. Please note that the file /etc/sysconfig/SuSEfirewall2 has the same line as in openSUSE 10.3. In that environment is worked OK. It also looks, see attached file, as if the iptables configuration is OK. So the problem might be in the iptables kernel module. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421806 User f.de.kruijf@hetnet.nl added comment https://bugzilla.novell.com/show_bug.cgi?id=421806#c3 --- Comment #3 from Freek de Kruijf <f.de.kruijf@hetnet.nl> 2008-09-01 06:15:04 MDT --- Created an attachment (id=236560) --> (https://bugzilla.novell.com/attachment.cgi?id=236560) firewall log since I started openSUSE11.0 for DPT=22 In this log it looks like it was with openSUSE 10.3 in the beginning. I regularly do an update of the software. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421806 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421806#c4 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |lnussel@novell.com Status|NEW |ASSIGNED --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2008-09-01 06:39:46 MDT --- It's a regression caused by the previous update. As workaround you may downgrade to the SuSEfirewall2 version that was shipped with opensuse 11.0 as long as you are not hit by bugs that were fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421806 User hmuelle@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421806#c6 Harald Mueller-Ney <hmuelle@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hmuelle@novell.com Status|NEEDINFO |ASSIGNED Info Provider|ast@novell.com | --- Comment #6 from Harald Mueller-Ney <hmuelle@novell.com> 2008-09-01 08:34:35 MDT --- Fixing a regression. SWAMPID: 19499 Please submit patchinfo and fixed packages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421806 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421806#c7 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #7 from Ludwig Nussel <lnussel@novell.com> 2008-09-02 03:26:00 MDT --- updates submitted -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421806 User dmueller@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421806#c8 --- Comment #8 from Dirk Mueller <dmueller@novell.com> 2008-09-09 19:06:08 MDT --- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com