On 29/07/07, Richard Creighton <ricreig@gmail.com> wrote:
Turns out that I have spent the morning trying to figure out why on my machine that didn't work at all. I perused the iptables -L and found the order of the rules produced by susefirewall2 is wrong IF you open the ssh port using the sysconfig editor OR the YAST2 firewall configururation Allowed Services advanced TCP ports external. It puts dpt:22 as ACCPT BEFORE the rule produced by the line shown above so that rule never gets executed. The solution is to go back into the sysconfig editor or YAST2 and remove the ssh port and then the above line and resultant rule becomes activated and works.
Yeah, you'll need to use either one or the other.
It really isn't better than fail2ban in that it works at the same level, ie, at the firewall and the rule produced by fail2ban is the first rule examined and what I like, it is logged so I can easily produce a report to send a report to the offending site (that might not even know they have the worm) and suggest they clean house.
IPTables can and is logged of course, see /var/log/firewall , you can adjust the verbosity of this etc, if you need the rule to be examined sooner you could put the rule the above generates into a /etc/sysconfig/scripts/SuSEfirewall2-custom , inserting the rule where you please. fail2ban might be less prone to DoS attack problems than the simple firewall rule though.
As to your second question, I think if you were to examine the output of iptables -L and find the 2 (I believe) lines that make up the rules that make the above line function, you could change the dpt:22 to the port you need to monitor and add it manually. I've not seen anyplace in the GUI that has a place to do it. Assuming of course that you don't want to use fail2ban :)
Yes, the rules are space separated, so FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh 0/0,tcp,25......" should work I believe. _ Benjamin Weber -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org