openSUSE Security June 2010

security@lists.opensuse.org

12 participants
5 discussions

[opensuse-security] Howto restrict number of sshd sessions per minute

by Otto Rodusek

Hi ListMates, I'm trying to resolve a problem with Susefirewall2 that I've had for some time and I'm hoping to get a resolution if possible. I'm trying this on a Dell Server T110 using opensuse linux 11.2 - uname: Linux bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100 i686 i686 i386 GNU/Linux. I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more. I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"). If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds. I have installed a perl program to catch and firewall those culprits BUT I would still like to know why the above code doesn't seem to work. Have I forgotten to edit something else? Any help would be much appreciated. If it helps, below is the result of the iptables -L - maybe someone can spot something here? Again much thanks for any help in this area. bunyip:/etc/sysconfig # iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP all -- 60.210.8.234 anywhere DROP all -- 59.151.119.180 anywhere DROP all -- 61.160.249.80 anywhere DROP all -- 118.45.235.157 anywhere DROP all -- 210.51.191.232 anywhere DROP all -- pd95b8832.dip0.t-ipconnect.de anywhere DROP all -- 218.75.79.18 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:netbios-ns state RELATED ACCEPT gre -- anywhere anywhere LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ndmp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:scp-config flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:scp-config LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pptp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pptp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ni-ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ni-ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:smtp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:urd flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:urd LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpts:30000:30100 ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG level warning tcp-options ip-options prefix `SFW2-INext-DROPr ' DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: ssh side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain reject_func (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable bunyip:/etc/sysconfig # -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years

[opensuse-security] Re: [security-announce] SUSE Security Announcement: flash player (SUSE-SA:2010:024)

by Carlos E. R.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-06-11 17:44, Marcus Meissner wrote: > > ______________________________________________________________________________ > > SUSE Security Announcement > > Package: flash-player Please notice that you are signing the email with an expired key, ID 9C800ACA > Type Bits/KeyID Date User ID > pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de> > pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de> > > -----BEGIN PGP PUBLIC KEY BLOCK----- Also, there is something wrong with your signing method, as Thunderbird failed to even offer to import any of both keys listed in the block above, said "there is no publick key block". I had to import the key using seahorse. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwSkesACgkQU92UU+smfQVB6gCggYhufSrs8vxmfbb7WG2xAuI5 fogAn10Hk7awKgdlesS9Ha/nD9GieqNA =DdQG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years

[opensuse-security] Not attacking the problem

by Keith Hopper

This is by way of a confession - or, if you prefer, an apocryphal tale which could happen to any of us to our deep embarrasment. Recently I had a great deal of difficulty installing/updating my x86-64 machine with hardware RAID from 11.1 to 11.2. Trying to repair the system failed after failing to install 11.2 so I had to go back, re-install 11.1 and, after some fiddling, could then update to 11.2. Just at this time - when I needed access to update the distribution - my broadband modem failed catastrophically. It was quite an old one and was no longer in production - so I purchased a new one (which had the facility to disable its firewall - which I did). Quick modem configure and all was fine for updating the distribution. I had been 'off the air' for a couple of weeks doing all of this and never thought that anything further needed doing as, from my point of view, everything was working fine. Some friends then told me my web site wasn't accessible any more - so I immediately thought of SuSEfirewall problems as the way of configuring it had changed slightly from 11.1. I have recently spent several days battling to get the rest of the world to see my machine - ending up by reading all of the available guides and examples. I found that I should have made one manual addition to the SuSEfirewall2 file - but even that didn't succeed in making my machine accessible from 'outside' my private LAN. If some of you are grinning widely by now I shall not be surprised! Yes! I had forgotten that the problem was not just a continuation of the difficulties I had been having with SuSE 11.2 - it was a connection problem and that involved the new broadband modem too! A flash of 'inspiration' occurred to me in bed last night and I almost yelled out - 'what about the modem?' Indeed, this new modem insisted that every individual port had to have port forwarding enabled specifically to the server machine. I opened the necessary ports and all worked as expected - the machine is visible. I hope this never happens to any of you -but then you are all experts (sigh! - I used to be one, obviously!), aren't you? Keith Hopper -- Sky Development -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years

[opensuse-security] LUKS / DM-CRYPT how to determine used slots?

by Malte Gell

Hello, I have just added a key file to my encrypted partition that i use on a USB stick, so i don't have to enter a password at every boot. So I now have two slots used on that partition, a key file and the previous used password. How can I generally find out how many slots are used on an encrypted partition? The man page of cryptsetup is silent about this. Regards Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years

[opensuse-security] php5 update for 10.2 breaks gallery

by Stefan Seyfried

Hi, just to let everyone know: the 5.3.2 update breaks my gallery2 installation thoroughly, it's segfaulting all the time. Downgrading to 5.3.1 from the update repo fixes it. -- Stefan Seyfried "Any ideas, John?" "Well, surrounding them's out." -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years, 1 month

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security June 2010