Dear Carlos and Armin, thanks for your replies. It turns out that the firewall is indeed configured to block some SSH requests:
jobs:/home/pvgorp # iptables -L | grep ssh LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
I guess I should increase that burst treshold. Thanks for your help! Note that I also searched /etc/sysconfig/scripts/SuSEfirewall2-custom but that file did not contain the hitcount setting. Kind regards, Pieter Van Gorp On Mon, Jun 8, 2009 at 12:16 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sunday, 2009-06-07 at 20:38 -0000, Armin Schoech wrote:
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
which would have that effect of limiting to 3 attempts per minute.
...
--> you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines:
LOG tcp -- 192.168.2.0/24 anywhere limit: avg 3/min burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TRUST ' ACCEPT tcp -- 192.168.2.0/24 anywhere state NEW,RELATED,ESTABLISHED tcp dpt:22
So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ?
Before SUSE/Novell added the extended FW_SERVICES_ACCEPT_EXT syntax, there was another method to accomplish the same result. In the configuration file /etc/sysconfig/SuSEfirewall2 we changed this variable:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
and then we edited that custom file; I just looked my old configuration, and saw that in the function fw_custom_before_antispoofing() I had added this:
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
The recipe was posted in this list some years ago.
- -- Cheers, Carlos E. R.
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org