[opensuse-security] Susefirewall limit connections
Hi ListMates, I have a large number of attacks on my customer's ports (10022, 5901, 5904) running OpenSuse 13.1 x64. Basically I would like the firewall to allow no more than 5 attempts per 60 second period (or 1 attempt per 12 seconds), after which I would like the firewall to PERMENANTLY LOCK out the attempting IP. I'm not sure whether this can be done via the SuseFirewall or whether I need to write a script to do it. I have tried a couple methods with the following script BUT I still get several (thousands) attempts in my firewall logs. Any suggestions? Thanks and best regards. Otto. ---------Start of bash script----------- #!/bin/bash #####command to use IPT=/usr/sbin/iptables #####Max connection in seconds SECONDS=60 #####Max connections per IP BLOCKCOUNT=5 #####default action can be DROP or REJECT DACTION="DROP" #####default port to monitor (if not input) PORT=10022 if [ $# = 1 ] then PORT=$1 fi #####method 1 $IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set --name rule${PORT} $IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --update --name rule${PORT} \ --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} #####method 2 #$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set # #$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --rcheck \ # --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j REJECT --reject-with icmp-port-unreachable ---------End of bash script----------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Sun, Nov 16, 2014 at 11:38:17AM +0800, Otto Rodusek wrote:
Hi ListMates,
I have a large number of attacks on my customer's ports (10022, 5901, 5904) running OpenSuse 13.1 x64.
Basically I would like the firewall to allow no more than 5 attempts per 60 second period (or 1 attempt per 12 seconds), after which I would like the firewall to PERMENANTLY LOCK out the attempting IP. I'm not sure whether this can be done via the SuseFirewall or whether I need to write a script to do it.
I have tried a couple methods with the following script BUT I still get several (thousands) attempts in my firewall logs.
Any suggestions?
Thanks and best regards. Otto.
You already use the ipt_recent table rule ... Do not see where the issue is, perhaps the default action is still triggered. You can debug this with iptables -v -L and check the hitcount on the rules on which trigger. In SUSE firewall remove ssh from FW_SERVICES_ACCEPT, readd it to: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh" And instead of "22" and "ssh" you can use your ports and a logname, rules seperated by spaces. Ciao, Marcus
---------Start of bash script----------- #!/bin/bash
#####command to use IPT=/usr/sbin/iptables
#####Max connection in seconds SECONDS=60
#####Max connections per IP BLOCKCOUNT=5
#####default action can be DROP or REJECT DACTION="DROP"
#####default port to monitor (if not input) PORT=10022
if [ $# = 1 ] then PORT=$1 fi
#####method 1 $IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set --name rule${PORT} $IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --update --name rule${PORT} \ --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
#####method 2 #$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set # #$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --rcheck \ # --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j REJECT --reject-with icmp-port-unreachable
---------End of bash script----------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 16/11/14 19:51, Marcus Meissner wrote:
On Sun, Nov 16, 2014 at 11:38:17AM +0800, Otto Rodusek wrote:
Hi ListMates,
I have a large number of attacks on my customer's ports (10022, 5901, 5904) running OpenSuse 13.1 x64.
Basically I would like the firewall to allow no more than 5 attempts per 60 second period (or 1 attempt per 12 seconds), after which I would like the firewall to PERMENANTLY LOCK out the attempting IP. I'm not sure whether this can be done via the SuseFirewall or whether I need to write a script to do it.
I have tried a couple methods with the following script BUT I still get several (thousands) attempts in my firewall logs.
Any suggestions?
Thanks and best regards. Otto. You already use the ipt_recent table rule ... Do not see where the issue is, perhaps the default action is still triggered.
You can debug this with iptables -v -L and check the hitcount on the rules on which trigger.
In SUSE firewall remove ssh from FW_SERVICES_ACCEPT, readd it to: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh"
And instead of "22" and "ssh" you can use your ports and a logname, rules seperated by spaces.
Ciao, Marcus
Hi Marcus, Thanks for your feedback - I'll give that a try. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Marcus Meissner -
Otto Rodusek