I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours. Now it is starting to cost me in bandwidth usage. How can I set up SuSEFirewall2 to just drop all packets from that specific host? Thanks -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org ~ A dinosaur is a salamander designed to Mil Spec ~
On Thursday 22 December 2005 09:34, Andre Truter wrote:
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host? I don't know how to do it with SUSE Firewall but you can do it by hand with iptables: iptables -A INPUT -s ip.address.of.the.attacker -j DROP
-- Liviu Damian Mobile: +40 741 226993; Fax: +1 347-632-4117 Phone : +1 360-526-6441; +49 1801 6666266027 URL: http://liviudm.blogspot.com
As far as I can see there is no way of doing it in SuSEFirewall2 one of the drawbacks of a gui solution. Regards Per On Thursday 22 December 2005 09:42, Liviu Damian wrote:
On Thursday 22 December 2005 09:34, Andre Truter wrote:
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host?
I don't know how to do it with SUSE Firewall but you can do it by hand with iptables: iptables -A INPUT -s ip.address.of.the.attacker -j DROP
-- Liviu Damian Mobile: +40 741 226993; Fax: +1 347-632-4117 Phone : +1 360-526-6441; +49 1801 6666266027 URL: http://liviudm.blogspot.com
On Thu, 2005-12-22 at 07:06 +0200, Per Qvindesland wrote:
As far as I can see there is no way of doing it in SuSEFirewall2 one of the drawbacks of a gui solution.
Regards Per
Not really. One of the drawbacks of a GUI not programmed to use all of the features of a program. Perhaps SuSEFirewall2 needs to be redone to support -all- of the features of iptables and -not- just enough to get by as quite a few GUIs in linux do. One of the reasons linux is not being adopted as fast as once was thought. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2005-12-22 at 08:10 -0500, Ken Schneider wrote:
Not really. One of the drawbacks of a GUI not programmed to use all of the features of a program. Perhaps SuSEFirewall2 needs to be redone to support -all- of the features of iptables and -not- just enough to get by as quite a few GUIs in linux do. One of the reasons linux is not being adopted as fast as once was thought.
SuSEFirewall is not a gui. There is a GUI frontend to use SuSEFirewall, as a part of YaST, and that's all. You have the real plain text configuration in /etc/sysconfig/SuSEfirewall2 - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDqsjYtTMYHG2NR9URAtk9AJ9baJy62ZphPkm1VsrvNKf2qEdHBwCeOYpv zztg7ZjOaCiRHx542vFziZA= =ba0x -----END PGP SIGNATURE-----
On 12/22/05, Carlos E. R. <robin1.listas@tiscali.es> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Thursday 2005-12-22 at 08:10 -0500, Ken Schneider wrote:
Not really. One of the drawbacks of a GUI not programmed to use all of the features of a program. Perhaps SuSEFirewall2 needs to be redone to support -all- of the features of iptables and -not- just enough to get by as quite a few GUIs in linux do. One of the reasons linux is not being adopted as fast as once was thought.
SuSEFirewall is not a gui.
There is a GUI frontend to use SuSEFirewall, as a part of YaST, and that's all. You have the real plain text configuration in /etc/sysconfig/SuSEfirewall2
- -- Cheers, Carlos Robinson
Check fwbuilder. Great GUI for creating iptables (and not only) firewalls. -- -- Svetoslav Milenov (Sunny)
On Thu, 2005-12-22 at 16:40 +0100, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Thursday 2005-12-22 at 08:10 -0500, Ken Schneider wrote:
Not really. One of the drawbacks of a GUI not programmed to use all of the features of a program. Perhaps SuSEFirewall2 needs to be redone to support -all- of the features of iptables and -not- just enough to get by as quite a few GUIs in linux do. One of the reasons linux is not being adopted as fast as once was thought.
SuSEFirewall is not a gui.
There is a GUI frontend to use SuSEFirewall, as a part of YaST, and that's all. You have the real plain text configuration in /etc/sysconfig/SuSEfirewall2
This I fully understand and should have been more specific about using YaST2 to do the configuration. How many windows users will -not- make the switch because there is not a good gui to fully configure app XXX? Current windows users are so used to using -only- a gui program to config "app x" that they will get totally lost trying to use the command line to do so. And remember that there has been enough time now that a lot of people have never used a command line in windows and would not know how to get to one if their life depended on it. Sure the command line can, for the most part, be easier but as in most things it is only easier when you know how and not before hand. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host? I don't know how to do it with SUSE Firewall but you can do it by hand with iptables: iptables -A INPUT -s ip.address.of.the.attacker -j DROP
From archive, I see that you can add the script in /etc/sysconfig/scripts/SuSEfirewall2-custom in fw_custom_before_port_handling() But I havent tried it yet.
regards, -- Arie Reynaldi Zanahar reymanx at gmail.com http://www.reynaldi.or.id
On 12/22/05, Liviu Damian <dazzle.digital@gmail.com> wrote:
On Thursday 22 December 2005 09:34, Andre Truter wrote:
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host? I don't know how to do it with SUSE Firewall but you can do it by hand with iptables: iptables -A INPUT -s ip.address.of.the.attacker -j DROP
No, unfortunately that does not work. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org ~ A dinosaur is a salamander designed to Mil Spec ~
On Thursday 22 December 2005 08:36, Andre Truter wrote: [snip]
No, unfortunately that does not work.
But why not? I thought you could add custom rules to SuSEfirewall2 via an include file - see question 25 in /etc/sysconfig/SuSEfirewall2. You just create a file, write in your custom rules and tell SuSEfirewall2 where the file is. Unless the actual rule itself isn't correctly formulated, of course, in which case it will never work. If SuSE's firewall is really this limited - hard to believe but possible, I guess - then maybe it's time to look at another solution. An extremely good one I use on another distro is Shorewall (now often called Shoreline). :) Fish
On 12/22/05, Mark Crean <mcrean@snowpetrel.net> wrote:
On Thursday 22 December 2005 08:36, Andre Truter wrote: [snip]
No, unfortunately that does not work.
But why not? I thought you could add custom rules to SuSEfirewall2 via an include file - see question 25 in /etc/sysconfig/SuSEfirewall2. You just create a file, write in your custom rules and tell SuSEfirewall2 where the file is. Unless the actual rule itself isn't correctly formulated, of course, in which case it will never work.
In this case it is the rule itself that does not work. I added the rule directly from the command line. So, it is not that SuSEFirewall cannot take custom commands, it can, via the include file as you mention. But my reply was to state that the given rule did not work. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org ~ A dinosaur is a salamander designed to Mil Spec ~
On Thursday 22 December 2005 12:22, Andre Truter wrote:
But my reply was to state that the given rule did not work.
Ah, OK then. There are some good ideas at this url: http://www.debian-administration.org/articles/250 I know this is for another distro but iptables and ssh attacks are still the same. Some useful links from this page too. :) Fish
On Thu, 2005-12-22 at 11:42 +0000, Mark Crean wrote:
On Thursday 22 December 2005 08:36, Andre Truter wrote: [snip]
No, unfortunately that does not work.
But why not? I thought you could add custom rules to SuSEfirewall2 via an include file - see question 25 in /etc/sysconfig/SuSEfirewall2. You just create a file, write in your custom rules and tell SuSEfirewall2 where the file is. Unless the actual rule itself isn't correctly formulated, of course, in which case it will never work.
If SuSE's firewall is really this limited - hard to believe but possible, I guess - then maybe it's time to look at another solution. An extremely good one I use on another distro is Shorewall (now often called Shoreline).
This is probably a stupid question, but did the firewall get restarted or forced to re-read the configs, so that the change was recognized?
On Thursday 22 December 2005 07:34, Andre Truter wrote:
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host?
Thanks -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org
~ A dinosaur is a salamander designed to Mil Spec ~
Why not try the fix i used to stop these idiots causing problems I simply reassinged ssh to another port number that is far enough out of the way to make it safe since then i have had no more attacks i wont publis what port i am using but it is a five digit number , All of my machines now use that port by default .. Pete . -- If Bill Gates had gotten LAID at High School do YOU think there would be a Microsoft ? Of course NOT ! You gotta spend a lot of time at your school Locker stuffing underware up your ass to think , I am going to take on the worlds Computer Industry -------:heard on Cyber Radio.:------- AFFA
On 12/22/05, Peter Nikolic <p.nikolic1@btinternet.com> wrote:
Why not try the fix i used to stop these idiots causing problems
I simply reassinged ssh to another port number that is far enough out of the way to make it safe since then i have had no more attacks i wont publis what port i am using but it is a five digit number , All of my machines now use that port by default ..
That is what I have done now, but it causes some other problems for me. One of the sites that I work from block stuff in and out. So, when I am on thier network (and I spend most of my time there) I can only ssh out of thier network via port 22. So, now, to get to my server (which is located about 20 km from there) I have to first ssh into another server that is located on the other side of the planet and then from there ssh back into my server via my special port. So, the latency is very bad. But I suppose it is not a bad price to pay in order to avoid the bastards from hitting my box all the time. It just sounds a bit silly to circumvent the planet in order to log into my box.... :-) -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org ~ A dinosaur is a salamander designed to Mil Spec ~
On Thursday 22 December 2005 09:35, Andre Truter wrote:
On 12/22/05, Peter Nikolic <p.nikolic1@btinternet.com> wrote:
Why not try the fix i used to stop these idiots causing problems
I simply reassinged ssh to another port number that is far enough out of the way to make it safe since then i have had no more attacks i wont publis what port i am using but it is a five digit number , All of my machines now use that port by default ..
That is what I have done now, but it causes some other problems for me.
One of the sites that I work from block stuff in and out. So, when I am on thier network (and I spend most of my time there) I can only ssh out of thier network via port 22.
So, now, to get to my server (which is located about 20 km from there) I have to first ssh into another server that is located on the other side of the planet and then from there ssh back into my server via my special port.
So, the latency is very bad.
But I suppose it is not a bad price to pay in order to avoid the bastards from hitting my box all the time. It just sounds a bit silly to circumvent the planet in order to log into my box.... :-)
-- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org
~ A dinosaur is a salamander designed to Mil Spec ~
you can use "ssh -P port number" to use the standard port for one connection .. Pete . -- If Bill Gates had gotten LAID at High School do YOU think there would be a Microsoft ? Of course NOT ! You gotta spend a lot of time at your school Locker stuffing underware up your ass to think , I am going to take on the worlds Computer Industry -------:heard on Cyber Radio.:------- AFFA
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2005-12-22 at 09:34 +0200, Andre Truter wrote:
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host?
I copied this from the security list: |Date: Tue, 13 Dec 2005 10:21:59 +0100 (CET) |From: Bjorn Tore Sund |Subject: Re: SPAM: Re: [suse-security] Openssh + security | ... | | | I assume you're looking for the "recent" module for iptables. | # Blocking ssh attacks | /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set | /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' | /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT | This will block all further syns from an IP address starting on the | sixth port 22 connection within 60 seconds. It takes 60 seconds of | absolute quiet from that same ip address (or a reboot) to make the | block go away. Kills a LOT of brute force ssh attacks. I've also | used this both against web statistics spammers and email DOSers with | good results. | | Bjørn I guess the place for it would be in /etc/sysconfig/scripts/SuSEFirewall2-custom or thereabouts; somebody said in fw_custom_before_antispoofing, others in fw_custom_before_port_handling. I dunno. Probably the best place to ask for this is the security list, but check the archive first. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDqsMVtTMYHG2NR9URAu+wAJkBPuAKETnQU3yAqg+iOWl1vAPIwgCfSRXR dg1NF6nDfuMrm081k0Vqz2k= =neJI -----END PGP SIGNATURE-----
* Andre Truter <andre.truter@gmail.com> [12-22-05 02:35]:
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host?
I had similar problems and in this forum, Ulf Rasch X-Message-Number-for-archive: 251791 on 10-29-2005 advised: edit: /etc/sysconfig/scripts/SuSEfirewall2-custom to section: f2_custom_after_antispoofing() add: iptables -I INPUT 1 -s <ip.number.x.x>/16 -j DROP and it works perfectly for me. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2
Greeting'z, On Thursday 22 December 2005 01:34 am, Andre Truter wrote:
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host?
Thanks -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org
~ A dinosaur is a salamander designed to Mil Spec ~
Why bother with the firewall, do it the easy way: sudo echo "PORT : IP_ADDY/NETMASK" >>/etc/hosts.deny && rcsshd restart done. examples: block a single host: ssh : 211.206.120.15/255.255.255.0 block an entire subnet: ssh : 220.135.213.*/255.255.254.0 (these ip's were bugging me daily, no more) -- "NiTa Ek WeLu Ek Ra"
* Zarantu <zarantu@gmail.com> [12-25-05 15:06]:
Why bother with the firewall, do it the easy way: sudo echo "PORT : IP_ADDY/NETMASK" >>/etc/hosts.deny && rcsshd restart done.
examples: block a single host: ssh : 211.206.120.15/255.255.255.0 block an entire subnet: ssh : 220.135.213.*/255.255.254.0 (these ip's were bugging me daily, no more)
If you are taking this route, why just 'ssh'? Why not block 'all'? -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2
On 12/25/05, Zarantu <zarantu@gmail.com> wrote:
Why bother with the firewall, do it the easy way: sudo echo "PORT : IP_ADDY/NETMASK" >>/etc/hosts.deny && rcsshd restart done.
But won't this still cause my box to respond to their request - even to just say DENY? That will still result in bandwidth being used, which I want to prevent. For now I am still running on a different ssh port as this seems to be the best solution. I tried to setup the port-knocking in the firewall, but for some reason it disables all ssh access on that box. Works fine on a test box, but not on the production... Anyway, the different ssh port seems to work out OK for now. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org ~ A dinosaur is a salamander designed to Mil Spec ~
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2005-12-25 at 23:17 +0200, Andre Truter wrote:
Why bother with the firewall, do it the easy way: sudo echo "PORT : IP_ADDY/NETMASK" >>/etc/hosts.deny && rcsshd restart done.
But won't this still cause my box to respond to their request - even to just say DENY?
Right. I just tried the trick I mentioned the other day, making use of the "recent" module for iptables, and it works. It allows me to try six times in a minute, and the seventh it blocks me. It can be adjusted. This is what I see on the log for failed tries: Dec 26 01:46:15 nimrodel kernel: SSH attack: IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:84:0a:8b:f5:08:00 SRC=192.168.100.1 DST=192.168.100.2 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=50094 DF PROTO=TCP SPT=1048 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 It is as follows; edit /etc/sysconfig/scripts/SuSEfirewall2-custom; search for function "fw_custom_before_antispoofing()" near the beginning. Insert this: fw_custom_before_antispoofing() { # Blocking ssh attacks iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT true } Then reload the firewall with the command "SuSEfirewall2": nimrodel:/etc/sysconfig/scripts # SuSEfirewall2 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom SuSEfirewall2: Firewall rules successfully set nimrodel:/etc/sysconfig/scripts # I don't have a full time network connection, so I can't try this "out there", but I think it should work, it is easy and automatic, and efficient on the network, I suppose. And, I know almost nothing about iptables, so I don't know if the rule is perfect; for example, I don't know whether ith should better be "DROP" instead of "REJECT"... - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDr0YotTMYHG2NR9URAnrGAJ9T7ADYsuRfwZioZw1RLnkZSY/XvACdEjs0 72bnEtQTQcgA/qUkxjpwOx0= =FpAx -----END PGP SIGNATURE-----
On 12/26/05, Carlos E. R. <robin1.listas@tiscali.es> wrote:
I just tried the trick I mentioned the other day, making use of the "recent" module for iptables, and it works. It allows me to try six times in a minute, and the seventh it blocks me. It can be adjusted. This is what I see on the log for failed tries:
Yes, this worked beautifully on my test box, but when I implemented it on my production box, the firewall permanently blocked all ssh access for some reson. I have not been able to figure out why. Being a production box, I cannot afford to play around with it too much, so I had to take option 2 (change ssh port) until I can find time again when fidgeting with the firewall won't affect service too much. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org ~ A dinosaur is a salamander designed to Mil Spec ~
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2005-12-26 at 09:05 +0200, Andre Truter wrote: [ipt_recent]
Yes, this worked beautifully on my test box, but when I implemented it on my production box, the firewall permanently blocked all ssh access for some reson.
Ah!? :-O - From any IP? You probably typed something wrong, or perhaps it is an SLE with different things. I tried it locally, and it certainly allows my to connect, but then, I don't have several machines from which to log in and see if the rest are blocked as a side effect. It shouldn't be.
I have not been able to figure out why.
I don't know, I know very little about iptables. You can try the suse-security list, the firewall knowledgeable people are there. I copied the the idea from there, after all.
Being a production box, I cannot afford to play around with it too much, so I had to take option 2 (change ssh port) until I can find time again when fidgeting with the firewall won't affect service too much.
I understand, of course. Perhaps when people come back from holidays they can comment on this. Happy "past" Christmas, by the way ;-) - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDr9KxtTMYHG2NR9URAgAlAJ43HlteNuezh9UxADxFCOsY7iEL7ACffv2C HhkcV7HfXJ2Ms3HHSwC7Ag0= =klae -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2005-12-26 at 13:14 +0100, steve wrote:
Sorry to jump in late on this thread but doesn't the OP simply need an entry in /etc/hosts.deny for the IP he wants to block?
ALL:the.ip.of.hacker or maybe: sshd:the.ip.of.hacker
If it is only one, yes. But, if the hacker is intent on hacking you, he will switch to another IP. If not, there are many more "script kiddies" out there who will try. So, you need a dynamic or automated tool. I know of one at least that edits that file, and removes the entries after a configurable delay - login_sentry, http://www.lumiere.net/~j/login_sentry/ I think I prefer the firewall way, as the connection attempt can be simply dropped. Less traffic at our side. Also, it seems to me the automation is easier and robust, it works at the kernel level. Programs like login_sentry work scanning the logs, I understand. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDsEd5tTMYHG2NR9URArxIAKCXuQ3w1EgS7EO/upaW2y8diA1ZJACfa58/ dZSGNXYJ6EDxeG59pUpFsAk= =JwvB -----END PGP SIGNATURE-----
* Carlos E. R. <robin1.listas@tiscali.es> [12-26-05 15:06]:
If it is only one, yes. But, if the hacker is intent on hacking you, he will switch to another IP. If not, there are many more "script kiddies" out there who will try. So, you need a dynamic or automated tool. I know of one at least that edits that file, and removes the entries after a configurable delay - login_sentry, http://www.lumiere.net/~j/login_sentry/
DenyHost, http://denyhosts.sourceforge.net/ will also dynamically edit hosts.deny and remove the entry after a configurable delay. My logs have become manageable since I installed it. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2
Patrick Shanahan wrote:
DenyHost, http://denyhosts.sourceforge.net/ will also dynamically edit hosts.deny and remove the entry after a configurable delay. My logs have become manageable since I installed it.
How does this work in conjunction with the SuseFirewall2? -- Thanks http://www.911networks.com
* Syv Ritch <suse@911networks.com> [12-26-05 16:58]:
How does this work in conjunction with the SuseFirewall2?
I made no change to SuSEFirewall2. It complements it. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2
Patrick Shanahan wrote:
* Syv Ritch <suse@911networks.com> [12-26-05 16:58]:
How does this work in conjunction with the SuseFirewall2?
I made no change to SuSEFirewall2. It complements it.
1. Do you run it in cron mode or daemon 2. How often do you purge the deny.host -- Thanks http://www.911networks.com When the network has to work Cisco/Microsoft
* Syv Ritch <suse@911networks.com> [12-26-05 18:14]:
1. Do you run it in cron mode or daemon
I use cron (root), but daemon would be just a good.
2. How often do you purge the deny.host
I don't. There is a config to automagically purge aged entries. I set to 26 weeks. Available are minutes, hours, days, weeks, years. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2
participants (14)
-
Andre Truter -
Arie Reynaldi Z -
Carlos E. R. -
Ken Schneider -
Liviu Damian -
Mark Crean -
Mike McMullin -
Patrick Shanahan -
Per Qvindesland -
Peter Nikolic -
steve -
Sunny -
Syv Ritch -
Zarantu