Joachim Schrod wrote:
There is a problem with the recent module and its interpretation of Jifies. ssh login does not work when one has just booted, until jifie gets 0 and starts incrementing, then it works. (That's roughly 5 minutes.) There is a bug report in Debian about this.
That particular problem I can live with, but you mention another one concerning jiffies further down.
We have now abandoned that approach, also for other reasons. Let me see, maybe the following is of interest...
Yes, thanks - very much worth a read.
The ssh server is not necessarily run on the firewall. I.e., the firewall may forward ssh connection to a system in the DMZ.
Yes, this is the case in my setup.
That solution would be a very good choice -- if it would work. ipt_recent doesn't work correctly when Jifies in the Linux kernel overflow. Then it blocks every request, even though they didn't pass the threshold.
Umm, that's a showstopper alright. I found these: https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=415 http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/ which seems to suggest that the jiffies problem is fixed in recent 2.6 kernels. I wonder if any of it got backported to 2.4.
Therefore we have chosen to skip this approach. CHOSEN SOLUTION:
I sort of like your alternative solution, although it is a little too complicated/over-engineered for my own needs. For various reasons we must have ssh access externally, but it is not used very much - less than once per month. We should undoubtedly just switch to not using passwords, but changing it is not a high priority.
logsurfer is used because I don't know a better log watching and event creation system. I would prefer to have a better one; it is not really suited for the task, as explained below.
I don't know logsurfer, but syslog-ng has some pretty neat features for diverting log-entries to different files and/or pipes, even a database. That has been quite helpful to me a number of times. /Per Jessen, Zürich