Ludwig Nussel wrote:
Otto Rodusek wrote:
I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more.
I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh").
If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds. I have installed a perl program to catch [...] bunyip:/etc/sysconfig # iptables -L
"SuSEfirewall2 status" output is more useful in such cases
Chain INPUT (policy DROP) [...] LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Remove ssh from FW_SERVICES_ACCEPT_EXT and FW_CONFIGURATIONS_EXT
cu Ludwig
Hi Ludwig, Ok, tried all the suggestions and cleaned out SuSEfirewall2 as per above but I still get the following in my logs: Jun 10 03:08:28 bunyip sshd[7626]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:29 bunyip sshd[7629]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:30 bunyip sshd[7631]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:31 bunyip sshd[7633]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:32 bunyip sshd[7635]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:33 bunyip sshd[7637]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:34 bunyip sshd[7639]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:35 bunyip sshd[7641]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:36 bunyip sshd[7643]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:38 bunyip sshd[7645]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:39 bunyip sshd[7647]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:40 bunyip sshd[7649]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:41 bunyip sshd[7651]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:42 bunyip sshd[7653]: Invalid user oracle from 218.8.82.99 Jun 10 03:08:43 bunyip sshd[7656]: Invalid user test from 218.8.82.99 Obviously the line FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" isn't doing what it's supposed to do? Any other ideas I can try? Here is the output from SuSEfirewall2 -status if it will help!!?? Again thanks for all the suggestions and help! Best regards. otto. PS: Here is the output from SuSEfirewall2 -status if it will help!!?? bunyip:/etc/sysconfig # SuSEfirewall2 status ### iptables filter ### Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 118.217.217.47 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2791K 376M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED 8066 1084K input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2633K 972M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain input_ext (2 references) pkts bytes target prot opt in out source destination 7156 954K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 state RELATED 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10000 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 18 864 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10001 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 74 3552 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10001 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:1723 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:20 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:47 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:47 8 412 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 9 476 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 38 2060 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 44 2444 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:465 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 1 48 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 3 144 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 45 2160 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:21 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 46 2208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30100 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG flags 6 level 4 prefix `SFW2-INext-DROPr ' 3 180 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source 20 1180 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-ACC ' 20 1180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: ssh side: source 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 628 113K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 48 3744 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 82 6396 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable ### iptables raw ### Chain PREROUTING (policy ACCEPT 11M packets, 1549M bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 10M packets, 5702M bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all -- * lo 0.0.0.0/0 0.0.0.0/0 ### ip6tables filter ### Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 state ESTABLISHED 0 0 ACCEPT icmpv6 * * ::/0 ::/0 state RELATED 0 0 input_ext all eth0 * ::/0 ::/0 0 0 input_ext all * * ::/0 ::/0 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 0 0 DROP all * * ::/0 ::/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * lo ::/0 ::/0 0 0 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 state NEW,RELATED,ESTABLISHED 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain input_ext (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 128 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 133 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 134 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 135 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 136 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 137 0 0 ACCEPT udp * * ::/0 ::/0 udp spt:137 state RELATED 0 0 ACCEPT 47 * * ::/0 ::/0 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:10000 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:10000 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:10001 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:10001 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:1723 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:1723 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:20 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:20 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:47 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:47 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:25 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:465 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:465 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:139 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:445 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:21 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:21 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpts:30000:30100 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:80 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:443 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG flags 6 level 4 prefix `SFW2-INext-DROPr ' 0 0 DROP tcp * * ::/0 ::/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source 0 0 LOG tcp * * ::/0 ::/0 tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-ACC ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 state NEW recent: SET name: ssh side: source 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG icmpv6 * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG udp * * ::/0 ::/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 DROP all * * ::/0 ::/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp * * ::/0 ::/0 reject-with tcp-reset 0 0 REJECT udp * * ::/0 ::/0 reject-with icmp6-port-unreachable 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-addr-unreachable 0 0 DROP all * * ::/0 ::/0 ### ip6tables mangle ### Chain PREROUTING (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination ### ip6tables raw ### Chain PREROUTING (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all lo * ::/0 ::/0 Chain OUTPUT (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all * lo ::/0 ::/0 -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org