Hi ListMates,
I'm trying to resolve a problem with Susefirewall2 that I've had for
some time and I'm hoping to get a resolution if possible. I'm trying
this on a Dell Server T110 using opensuse linux 11.2 - uname: Linux
bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100
i686 i686 i386 GNU/Linux.
I'm trying to restrict the number of sshd login attempts to only 5 per
minute and no more.
I've read the docs and have modified /etc/sysconfig/SuSEfirewall2
(FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to
(FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh").
If I check my logs I can still see that MANY sshd login attempts still
happen within the 60 seconds. I have installed a perl program to catch
and firewall those culprits BUT I would still like to know why the above
code doesn't seem to work. Have I forgotten to edit something else? Any
help would be much appreciated.
If it helps, below is the result of the iptables -L - maybe someone can
spot something here?
Again much thanks for any help in this area.
bunyip:/etc/sysconfig # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 60.210.8.234 anywhere
DROP all -- 59.151.119.180 anywhere
DROP all -- 61.160.249.80 anywhere
DROP all -- 118.45.235.157 anywhere
DROP all -- 210.51.191.232 anywhere
DROP all -- pd95b8832.dip0.t-ipconnect.de anywhere
DROP all -- 218.75.79.18 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT udp -- anywhere anywhere udp
spt:netbios-ns state RELATED
ACCEPT gre -- anywhere anywhere
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ndmp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:scp-config flags:FIN,SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:scp-config
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:pptp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:pptp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp-data
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ni-ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ni-ftp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:http
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:https
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:urd flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:netbios-ssn
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:microsoft-ds
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:30000:30100 flags:FIN,SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:30000:30100
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:https
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 60 hit_count:
5 name: ssh side: source LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROPr '
DROP tcp -- anywhere anywhere tcp dpt:ssh
state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh
side: source
LOG tcp -- anywhere anywhere tcp dpt:ssh
state NEW limit: avg 3/min burst 5 LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
state NEW recent: SET name: ssh side: source
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere PKTTYPE =
multicast
DROP all -- anywhere anywhere PKTTYPE =
broadcast
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-proto-unreachable
bunyip:/etc/sysconfig #
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org