On Sat, Apr 13, 2013 at 11:08:59AM +0200, Togan Muftuoglu wrote:
On 04/04/2013 02:30 PM, Togan Muftuoglu wrote:
On 04/04/2013 02:19 PM, Marcus Meissner wrote:
On Thu, Apr 04, 2013 at 02:10:58PM +0200, Togan Muftuoglu wrote:
Hi Per, On 04/04/2013 01:41 PM, Per Jessen wrote: There is the first drop...
I guess dropping was not the issue but keeping the dropped attacker for a long time in hold was the issue for me
Ok here we go again and in addition to the attacker not being held for a long time, the problem is in dictionary attacks SuSEfirewall2 fails, or I haven't been able to find a better way, since it takes quite a time for fail2ban to act.
Fail2ban was in action
The IP 62.75.202.56 has just been banned by Fail2Ban after 58 attempts against ASTERISK.
So wandering what the hell SuSEfirewall2 doing
Apr 13 03:56:10 whale kernel: SFW2-INext-ACC IN=eth0 OUT= MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=62.75.202.56 DST=XXX.XXX.XXX.XX LEN=442 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=5098 DPT=5060 LEN=422
Apr 13 03:56:10 whale kernel: SFW2-INext-ACC IN=eth0 OUT= MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=62.75.202.56 DST=XXX.XXX.XXX.XX LEN=463 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=5068 DPT=5060 LEN=443
So there are two packets and they are both accepted. There are no droped packets from this attacker
Looking to asterisk this is again a brute force dictionary attack and SuSEfirewall2 is not sufficient with
FW_SERVICES_ACCEPT_EXT="0/0,udp,5060,,hitcount=3,blockseconds=60,recentname=voip"
We have found one issue with this.. Can you look at or better post _all_ above "dmesg" entries? Check especially if the TTL changes for the same SRC IP. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org