John Andersen wrote:
On Tuesday 17 July 2007, Richard Creighton wrote:
But if the logging shows up prefixed with sshd as yours does: Jul 17 00:38:27 raid5 sshd Then you can be assured that the connection attempt DID get to the ssh daemon, and was NOT dropped. If it was dropped the sshd would never see these packets.
I suspect you will have to restart iptables somehow, if not by reboot then by iptables commands. (Shorewall does this for me so I don't know the base level syntax).
I did and all hell broke loose....There were error messages during the system reboot that said that ....well, here is the pertinent line: Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. SuSEfirewall2: Error: unknown parameter name=ssh in FW_SERVICES_ACCEPT_EXT -> 0/0,tcp,22,,hitcount=3,blockseconds=120,name=ssh <snip>
The only significant difference I see is my name: SSHA is unique, not any common name such as ssh. Your badssh should have worked.
Since then, I manually added the following to the IPTABLES bypassing SUSEFIREWALL2;
iptables -A FORWARD -p tcp -i eth0 --dport 22 -m recent --name badssh --set -j DROP iptables -A FORWARD -m recent --name badssh --update --hitcount 3 --seconds 60 -j DROP
Which gave an 'iptables -L' of;
Chain FORWARD (policy DROP) target prot opt source destination LOG 0 -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' DROP tcp -- anywhere anywhere tcp dpt:ssh recent: SET name: badssh side: source DROP 0 -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 3 name: badssh side: source
which looks like it made i to the IPTABLES.... however, as I type this, my entire LAN is under attack, including this machine with a concerted sshd dictionary attack Jul 17 16:04:56 raid5 sshd[7401]: Invalid user admin from 61.145.119.180 Jul 17 16:05:02 raid5 sshd[7403]: Invalid user admin from 61.145.119.180 Jul 17 16:05:06 raid5 sshd[7405]: Invalid user admin from 61.145.119.180 Jul 17 16:05:08 raid5 sshd[7407]: Invalid user admin from 61.145.119.180 Jul 17 16:05:11 raid5 sshd[7409]: Invalid user admin from 61.145.119.180 Jul 17 16:05:14 raid5 sshd[7411]: Invalid user admin from 61.145.119.180 Jul 17 16:05:17 raid5 sshd[7413]: Invalid user admin from 61.145.119.180 Jul 17 16:05:20 raid5 sshd[7415]: Invalid user admin from 61.145.119.180 Jul 17 16:05:23 raid5 sshd[7418]: Invalid user admin from 61.145.119.180 Jul 17 16:05:26 raid5 sshd[7420]: Invalid user admin from 61.145.119.180 Jul 17 16:05:29 raid5 sshd[7422]: Invalid user admin from 61.145.119.180 Jul 17 16:05:31 raid5 sshd[7425]: Invalid user admin from 61.145.119.180 Jul 17 16:05:34 raid5 sshd[7428]: Invalid user admin from 61.145.119.180 Jul 17 16:05:37 raid5 sshd[7430]: Invalid user admin from 61.145.119.180 and going through zzzz. So, for some reason even though it would appear that IPTABLES is *supposed* to be dropping packets, I still don't have the magic incantation yet. Maybe I am putting it in the wrong place? Help!!!! Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org