Re: [opensuse-security] SSH access refused for legitimate user under heavy load
_If_ you think that the firewall is responsible for the timeouts you might take a look at your /var/log/firewall In the firewall log, I have no entries for the machine from which the connections were initiated (and refused to). How should I interpret
Dear Bujdosó, thanks for your reply. this observation?
Then you can look at /etc/sysconfig/SuSEfirewall2 config file in the "FW_SERVICES_ACCEPT_EXT" section. The hitcount/blockseconds identifiers do not occur in this file...
Should I investigate other paths than the firewall? Any clues? Thanks a lot for your advice, Pieter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-06-06 at 14:49 +0200, Pieter Van Gorp wrote:
Dear Bujdosó, thanks for your reply.
He should post to the list, not in private.
_If_ you think that the firewall is responsible for the timeouts you might take a look at your /var/log/firewall In the firewall log, I have no entries for the machine from which the connections were initiated (and refused to). How should I interpret this observation?
That the firewall is not involved, or that the firewall is not configured to log those events.
Then you can look at /etc/sysconfig/SuSEfirewall2 config file in the "FW_SERVICES_ACCEPT_EXT" section. The hitcount/blockseconds identifiers do not occur in this file...
Not been able to look at the post you are replying to, as it was a private mail, I assume he told you to look at an entry like this: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" which would have that effect of limiting to 3 attempts per minute.
Should I investigate other paths than the firewall? Any clues?
Search for ssh related entries en /var/log/messages. Like: May 2 14:48:04 nimrodel sshd[24255]: Accepted publickey for cer from ::1 port 24897 ssh2 You could see a reject. You can also increase verbosity in the sshd log. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkorlx0ACgkQtTMYHG2NR9VkfACfUnuVvkXY2MyysljzPoBiARw9 BCIAn0cyXtAtJQwCgj1JhnUh3zxDdS6O =Rx9D -----END PGP SIGNATURE-----
Hello,
Then you can look at /etc/sysconfig/SuSEfirewall2 config file in the "FW_SERVICES_ACCEPT_EXT" section. The hitcount/blockseconds identifiers do not occur in this file...
Not been able to look at the post you are replying to, as it was a private mail, I assume he told you to look at an entry like this:
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
which would have that effect of limiting to 3 attempts per minute.
Should I investigate other paths than the firewall? Any clues?
Search for ssh related entries en /var/log/messages. Like:
May 2 14:48:04 nimrodel sshd[24255]: Accepted publickey for cer from ::1 port 24897 ssh2
You could see a reject. You can also increase verbosity in the sshd log.
--> you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines: LOG tcp -- 192.168.2.0/24 anywhere limit: avg 3/min burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TRUST ' ACCEPT tcp -- 192.168.2.0/24 anywhere state NEW,RELATED,ESTABLISHED tcp dpt:22 So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ? HTH, Armin Dr. Armin Schoech Carl-Zeiss-Strasse 33/1 D-89551 Koenigsbronn / GERMANY WWW: http://armin.schoech.de/ -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-06-07 at 20:38 -0000, Armin Schoech wrote:
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
which would have that effect of limiting to 3 attempts per minute.
...
--> you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines:
LOG tcp -- 192.168.2.0/24 anywhere limit: avg 3/min burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TRUST ' ACCEPT tcp -- 192.168.2.0/24 anywhere state NEW,RELATED,ESTABLISHED tcp dpt:22
So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ?
Before SUSE/Novell added the extended FW_SERVICES_ACCEPT_EXT syntax, there was another method to accomplish the same result. In the configuration file /etc/sysconfig/SuSEfirewall2 we changed this variable: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" and then we edited that custom file; I just looked my old configuration, and saw that in the function fw_custom_before_antispoofing() I had added this: iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT The recipe was posted in this list some years ago. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkosPEYACgkQtTMYHG2NR9X8eQCgix2A08mAYxJXra2Mf5OwGOZK 5EUAnjc4zMHxID+u4RPu+KP+Roh/kIXW =6f6B -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Dear Carlos and Armin, thanks for your replies. It turns out that the firewall is indeed configured to block some SSH requests:
jobs:/home/pvgorp # iptables -L | grep ssh LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
I guess I should increase that burst treshold. Thanks for your help! Note that I also searched /etc/sysconfig/scripts/SuSEfirewall2-custom but that file did not contain the hitcount setting. Kind regards, Pieter Van Gorp On Mon, Jun 8, 2009 at 12:16 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sunday, 2009-06-07 at 20:38 -0000, Armin Schoech wrote:
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
which would have that effect of limiting to 3 attempts per minute.
...
--> you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines:
LOG tcp -- 192.168.2.0/24 anywhere limit: avg 3/min burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TRUST ' ACCEPT tcp -- 192.168.2.0/24 anywhere state NEW,RELATED,ESTABLISHED tcp dpt:22
So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ?
Before SUSE/Novell added the extended FW_SERVICES_ACCEPT_EXT syntax, there was another method to accomplish the same result. In the configuration file /etc/sysconfig/SuSEfirewall2 we changed this variable:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
and then we edited that custom file; I just looked my old configuration, and saw that in the function fw_custom_before_antispoofing() I had added this:
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
The recipe was posted in this list some years ago.
- -- Cheers, Carlos E. R.
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ? Indeed. Now I am wondering whether I can simply add more relaxed
Dear Armin, On Sun, Jun 7, 2009 at 10:38 PM, Armin Schoech<armin.schoech@web.de> wrote: limit-burst options in /etc/sysconfig/SuSEfirewall2 or whether I should first lookup the configuration file that sets the burst too strict (currently I don't know where the property is set, I guess it has never been set by explicitly by the former administrator). Could you please advice me about that? Thanks again and kind regards, Pieter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Pieter,
Indeed. Now I am wondering whether I can simply add more relaxed limit-burst options in /etc/sysconfig/SuSEfirewall2 or whether I should first lookup the configuration file that sets the burst too strict (currently I don't know where the property is set, I guess it has never been set by explicitly by the former administrator).
Could you please advice me about that?
--> You can find out which files belong to the SuSEfirewall2 package with this command: rpm -ql SuSEfirewall2 Then I did a "grep -nrHi rate" in "/etc/sysconfig/" which revealed the file "/etc/sysconfig/scripts/SuSEfirewall2-qdisc". Some kind of bandwidth limiting for SSH is done around line 71. "man iptables" lists the "--limit rate" and "--limit-burst" commands. However, I did not find these commands easily. Don't know where they are issued. That's all I can help you with since I'm not a firewall expert. Best regards and good luck ! Armin Dr. Armin Schoech Carl-Zeiss-Strasse 33/1 D-89551 Koenigsbronn / GERMANY WWW: http://armin.schoech.de/ -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Armin Schoech -
Carlos E. R. -
Pieter Van Gorp