[opensuse-security] Howto restrict number of sshd sessions per minute

Hi ListMates, I'm trying to resolve a problem with Susefirewall2 that I've had for some time and I'm hoping to get a resolution if possible. I'm trying this on a Dell Server T110 using opensuse linux 11.2 - uname: Linux bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100 i686 i686 i386 GNU/Linux. I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more. I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"). If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds. I have installed a perl program to catch and firewall those culprits BUT I would still like to know why the above code doesn't seem to work. Have I forgotten to edit something else? Any help would be much appreciated. If it helps, below is the result of the iptables -L - maybe someone can spot something here? Again much thanks for any help in this area. bunyip:/etc/sysconfig # iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP all -- 60.210.8.234 anywhere DROP all -- 59.151.119.180 anywhere DROP all -- 61.160.249.80 anywhere DROP all -- 118.45.235.157 anywhere DROP all -- 210.51.191.232 anywhere DROP all -- pd95b8832.dip0.t-ipconnect.de anywhere DROP all -- 218.75.79.18 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:netbios-ns state RELATED ACCEPT gre -- anywhere anywhere LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ndmp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:scp-config flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:scp-config LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pptp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pptp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ni-ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ni-ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:smtp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:urd flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:urd LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpts:30000:30100 ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG level warning tcp-options ip-options prefix `SFW2-INext-DROPr ' DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: ssh side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain reject_func (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable bunyip:/etc/sysconfig # -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org