On Tuesday 17 July 2007, Richard Creighton wrote:
John Andersen wrote:
On Tuesday 17 July 2007, Richard Creighton wrote:
But if the logging shows up prefixed with sshd as yours does: Jul 17 00:38:27 raid5 sshd Then you can be assured that the connection attempt DID get to the ssh daemon, and was NOT dropped. If it was dropped the sshd would never see these packets.
I suspect you will have to restart iptables somehow, if not by reboot then by iptables commands. (Shorewall does this for me so I don't know the base level syntax).
I did and all hell broke loose....There were error messages during the system reboot that said that ....well, here is the pertinent line:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. SuSEfirewall2: Error: unknown parameter name=ssh in FW_SERVICES_ACCEPT_EXT -> 0/0,tcp,22,,hitcount=3,blockseconds=120,name=ssh
<snip>
The only significant difference I see is my name: SSHA is unique, not any common name such as ssh. Your badssh should have worked.
Since then, I manually added the following to the IPTABLES bypassing SUSEFIREWALL2;
iptables -A FORWARD -p tcp -i eth0 --dport 22 -m recent --name badssh --set -j DROP iptables -A FORWARD -m recent --name badssh --update --hitcount 3 --seconds 60 -j DROP
Which gave an 'iptables -L' of;
Chain FORWARD (policy DROP) target prot opt source destination LOG 0 -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' DROP tcp -- anywhere anywhere tcp dpt:ssh recent: SET name: badssh side: source DROP 0 -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 3 name: badssh side: source
Does it make sense to put this in the forward chain? Thats way too late, they have already been seen by the daemon running in THIS machine. If you are going to drop these you want it in the input chain. In my setup (configured by shorewall) The INPUT chain references an eth0-In chain The ETH0-In chain references a chain named net2fw and Net2fw references a chain named %Limit which defines the rate limit. So effectively rate limit is done on the INPUT chain. -- _____________________________________ John Andersen