-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-06-07 at 20:38 -0000, Armin Schoech wrote:
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
which would have that effect of limiting to 3 attempts per minute.
...
--> you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines:
LOG tcp -- 192.168.2.0/24 anywhere limit: avg 3/min burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TRUST ' ACCEPT tcp -- 192.168.2.0/24 anywhere state NEW,RELATED,ESTABLISHED tcp dpt:22
So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ?
Before SUSE/Novell added the extended FW_SERVICES_ACCEPT_EXT syntax, there was another method to accomplish the same result. In the configuration file /etc/sysconfig/SuSEfirewall2 we changed this variable: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" and then we edited that custom file; I just looked my old configuration, and saw that in the function fw_custom_before_antispoofing() I had added this: iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT The recipe was posted in this list some years ago. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkosPEYACgkQtTMYHG2NR9X8eQCgix2A08mAYxJXra2Mf5OwGOZK 5EUAnjc4zMHxID+u4RPu+KP+Roh/kIXW =6f6B -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org