[opensuse] Howto restrict number of sshd sessions per minute
Hi ListMates, I'm trying to resolve a problem with Susefirewall2 that I've had for some time and I'm hoping to get a resolution if possible. I'm trying this on a Dell Server T110 using opensuse linux 11.2 - uname: Linux bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100 i686 i686 i386 GNU/Linux. I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more. I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"). If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds. I have installed a perl program to catch and firewall those culprits BUT I would still like to know why the above code doesn't seem to work. Have I forgotten to edit something else? Any help would be much appreciated. If it helps, below is the result of the iptables -L - maybe someone can spot something here? Again much thanks for any help in this area. bunyip:/etc/sysconfig # iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP all -- 60.210.8.234 anywhere DROP all -- 59.151.119.180 anywhere DROP all -- 61.160.249.80 anywhere DROP all -- 118.45.235.157 anywhere DROP all -- 210.51.191.232 anywhere DROP all -- pd95b8832.dip0.t-ipconnect.de anywhere DROP all -- 218.75.79.18 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:netbios-ns state RELATED ACCEPT gre -- anywhere anywhere LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ndmp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:scp-config flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:scp-config LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pptp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pptp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ni-ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ni-ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:smtp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:urd flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:urd LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpts:30000:30100 ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG level warning tcp-options ip-options prefix `SFW2-INext-DROPr ' DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: ssh side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain reject_func (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable bunyip:/etc/sysconfig # -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2010-06-10 at 01:06 +0800, Otto Rodusek wrote:
I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh").
If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds.
Make sure you don't open ssh somewhere else; FW_SERVICES_EXT_*, FW_TRUSTED_NETS take precedence over FW_SERVICES_ACCEPT_EXT. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkwPzI0ACgkQtTMYHG2NR9WcMgCcDxT81UtsXe8SIO4LUZ4h+yeg ilwAn1Uzwg03hS+r74yd6Ct/T2PhZB0+ =mRHe -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday, 2010-06-10 at 01:06 +0800, Otto Rodusek wrote:
I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh").
If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds.
Make sure you don't open ssh somewhere else; FW_SERVICES_EXT_*, FW_TRUSTED_NETS take precedence over FW_SERVICES_ACCEPT_EXT.
- -- Cheers, Carlos E. R.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkwPzI0ACgkQtTMYHG2NR9WcMgCcDxT81UtsXe8SIO4LUZ4h+yeg ilwAn1Uzwg03hS+r74yd6Ct/T2PhZB0+ =mRHe -----END PGP SIGNATURE----- Hi Carlos,
Ah I see - ok I'll check that out, make the required mods and then re-test. I'll post back if all is fine. Thanks. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Otto Rodusek wrote:
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday, 2010-06-10 at 01:06 +0800, Otto Rodusek wrote:
I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh").
If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds.
Make sure you don't open ssh somewhere else; FW_SERVICES_EXT_*, FW_TRUSTED_NETS take precedence over FW_SERVICES_ACCEPT_EXT.
- -- Cheers, Carlos E. R.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkwPzI0ACgkQtTMYHG2NR9WcMgCcDxT81UtsXe8SIO4LUZ4h+yeg ilwAn1Uzwg03hS+r74yd6Ct/T2PhZB0+ =mRHe -----END PGP SIGNATURE----- Hi Carlos,
Ah I see - ok I'll check that out, make the required mods and then re-test. I'll post back if all is fine. Thanks. Otto. Hi,
Ok re-checked SuSEfirewall2 and the only ocurrance of FW_SERVICES_EXT_*, FW_TRUSTED_NETS (as suggested by Carlos) were: 455:# and more specific than FW_TRUSTED_NETS 539:FW_TRUSTED_NETS="" 282:FW_SERVICES_EXT_TCP="10000 10001 1723 20 47" 296:FW_SERVICES_EXT_UDP="" 313:FW_SERVICES_EXT_IP="gre" 333:FW_SERVICES_EXT_RPC="" 354:# see comments for FW_SERVICES_EXT_TCP 359:# see comments for FW_SERVICES_EXT_UDP 364:# see comments for FW_SERVICES_EXT_IP 369:# see comments for FW_SERVICES_EXT_RPC 379:# see comments for FW_SERVICES_EXT_TCP 384:# see comments for FW_SERVICES_EXT_UDP 389:# see comments for FW_SERVICES_EXT_IP 394:# see comments for FW_SERVICES_EXT_RPC 410:# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 436:# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 469:# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 472:# Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP 1087:# FW_SERVICES_EXT_IP="esp" 1088:# FW_SERVICES_EXT_UDP="isakmp" So the script is still clean (as per Carlos) but the sshd per minute is still LOTS!!! Hopefully got another cure!!! Thanks. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Otto Rodusek wrote:
Otto Rodusek wrote:
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday, 2010-06-10 at 01:06 +0800, Otto Rodusek wrote:
I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh").
If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds.
Make sure you don't open ssh somewhere else; FW_SERVICES_EXT_*, FW_TRUSTED_NETS take precedence over FW_SERVICES_ACCEPT_EXT.
- -- Cheers, Carlos E. R.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkwPzI0ACgkQtTMYHG2NR9WcMgCcDxT81UtsXe8SIO4LUZ4h+yeg ilwAn1Uzwg03hS+r74yd6Ct/T2PhZB0+ =mRHe -----END PGP SIGNATURE----- Hi Carlos,
Ah I see - ok I'll check that out, make the required mods and then re-test. I'll post back if all is fine. Thanks. Otto. Hi,
Ok re-checked SuSEfirewall2 and the only ocurrance of FW_SERVICES_EXT_*, FW_TRUSTED_NETS (as suggested by Carlos) were:
455:# and more specific than FW_TRUSTED_NETS 539:FW_TRUSTED_NETS=""
282:FW_SERVICES_EXT_TCP="10000 10001 1723 20 47" 296:FW_SERVICES_EXT_UDP="" 313:FW_SERVICES_EXT_IP="gre" 333:FW_SERVICES_EXT_RPC="" 354:# see comments for FW_SERVICES_EXT_TCP 359:# see comments for FW_SERVICES_EXT_UDP 364:# see comments for FW_SERVICES_EXT_IP 369:# see comments for FW_SERVICES_EXT_RPC 379:# see comments for FW_SERVICES_EXT_TCP 384:# see comments for FW_SERVICES_EXT_UDP 389:# see comments for FW_SERVICES_EXT_IP 394:# see comments for FW_SERVICES_EXT_RPC 410:# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 436:# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 469:# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 472:# Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP 1087:# FW_SERVICES_EXT_IP="esp" 1088:# FW_SERVICES_EXT_UDP="isakmp"
So the script is still clean (as per Carlos) but the sshd per minute is still LOTS!!! Hopefully got another cure!!! Thanks. Otto.
Hi, Hmmm...another follow up to Carlos email got me searching and I found 3 additional references to sshd : FW_CONFIGURATIONS_EXT="apache2 apache2-ssl postfix samba-client samba-server sshd vsftpd" FW_CONFIGURATIONS_DMZ="sshd" FW_CONFIGURATIONS_INT="sshd" # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" I'm not sufficiently savvy with iptables & SuSEfirewall2 but could one or more of the above lines be causing the problem? Thanks. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Otto Rodusek wrote:
Hmmm...another follow up to Carlos email got me searching and I found 3 additional references to sshd :
FW_CONFIGURATIONS_EXT="apache2 apache2-ssl postfix samba-client samba-server sshd vsftpd"
remove sshd from here. Also normally you would not allow samba-client samba-server in external Interface.
FW_CONFIGURATIONS_DMZ="sshd"
If you have DMZ interface configured and you want to allow ssh to your DMZ then fine
FW_CONFIGURATIONS_INT="sshd"
If you are allowing ssh connections to your firewall from your internal network then fine
# Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"
This is the one that gives the controlling of how many connections Hope this helps Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Togan Muftuoglu wrote:
Otto Rodusek wrote:
Hmmm...another follow up to Carlos email got me searching and I found 3 additional references to sshd :
FW_CONFIGURATIONS_EXT="apache2 apache2-ssl postfix samba-client samba-server sshd vsftpd"
remove sshd from here.
Also normally you would not allow samba-client samba-server in external Interface.
FW_CONFIGURATIONS_DMZ="sshd"
If you have DMZ interface configured and you want to allow ssh to your DMZ then fine
FW_CONFIGURATIONS_INT="sshd"
If you are allowing ssh connections to your firewall from your internal network then fine
# Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"
This is the one that gives the controlling of how many connections
Hope this helps
Togan
Hi, Ok, tried all the suggestions and cleaned out SuSEfirewall2 as per above but I still get the following in my logs: Jun 10 03:08:28 bunyip sshd[7626]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:29 bunyip sshd[7629]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:30 bunyip sshd[7631]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:31 bunyip sshd[7633]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:32 bunyip sshd[7635]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:33 bunyip sshd[7637]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:34 bunyip sshd[7639]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:35 bunyip sshd[7641]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:36 bunyip sshd[7643]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:38 bunyip sshd[7645]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:39 bunyip sshd[7647]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:40 bunyip sshd[7649]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:41 bunyip sshd[7651]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:42 bunyip sshd[7653]: Invalid user oracle from 218.8.82.99 Jun 10 03:08:43 bunyip sshd[7656]: Invalid user test from 218.8.82.99 Obviously the line FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" isn't doing what it's supposed to do? Any other ideas I can try? Here is the output from SuSEfirewall2 -status if it will help!!?? Again thanks for all the suggestions and help! Best regards. otto. PS: Here is the output from SuSEfirewall2 -status if it will help!!?? bunyip:/etc/sysconfig # SuSEfirewall2 status ### iptables filter ### Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 118.217.217.47 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2791K 376M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED 8066 1084K input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2633K 972M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain input_ext (2 references) pkts bytes target prot opt in out source destination 7156 954K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 state RELATED 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10000 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 18 864 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10001 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 74 3552 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10001 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:1723 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:20 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:47 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:47 8 412 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 9 476 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 38 2060 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 44 2444 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:465 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 1 48 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 3 144 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 45 2160 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:21 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 46 2208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30100 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG flags 6 level 4 prefix `SFW2-INext-DROPr ' 3 180 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source 20 1180 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-ACC ' 20 1180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: ssh side: source 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 628 113K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 48 3744 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 82 6396 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable ### iptables raw ### Chain PREROUTING (policy ACCEPT 11M packets, 1549M bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 10M packets, 5702M bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all -- * lo 0.0.0.0/0 0.0.0.0/0 ### ip6tables filter ### Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 state ESTABLISHED 0 0 ACCEPT icmpv6 * * ::/0 ::/0 state RELATED 0 0 input_ext all eth0 * ::/0 ::/0 0 0 input_ext all * * ::/0 ::/0 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 0 0 DROP all * * ::/0 ::/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * lo ::/0 ::/0 0 0 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 state NEW,RELATED,ESTABLISHED 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain input_ext (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 128 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 133 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 134 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 135 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 136 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 137 0 0 ACCEPT udp * * ::/0 ::/0 udp spt:137 state RELATED 0 0 ACCEPT 47 * * ::/0 ::/0 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:10000 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:10000 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:10001 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:10001 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:1723 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:1723 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:20 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:20 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:47 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:47 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:25 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:465 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:465 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:139 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:445 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:21 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:21 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpts:30000:30100 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:80 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:443 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG flags 6 level 4 prefix `SFW2-INext-DROPr ' 0 0 DROP tcp * * ::/0 ::/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source 0 0 LOG tcp * * ::/0 ::/0 tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-ACC ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 state NEW recent: SET name: ssh side: source 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG icmpv6 * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG udp * * ::/0 ::/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 DROP all * * ::/0 ::/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp * * ::/0 ::/0 reject-with tcp-reset 0 0 REJECT udp * * ::/0 ::/0 reject-with icmp6-port-unreachable 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-addr-unreachable 0 0 DROP all * * ::/0 ::/0 ### ip6tables mangle ### Chain PREROUTING (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination ### ip6tables raw ### Chain PREROUTING (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all lo * ::/0 ::/0 Chain OUTPUT (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all * lo ::/0 ::/0 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 10 Jun 2010 14:37:07 Otto Rodusek wrote:
Any other ideas I can try?
Why not change your ssh port from the default 22? Below are the instructions provided by David Rankin when I was being attacked through port 22. All quiet here now ;) Moving SSH to a higher port number To move ssh to a higher port on openSuSE, you need to edit two files: 1. /etc/services 2. /etc/ssh/sshd_config First open /etc/services and find an "Unassigned" high port that you would like to use. ('grep Unassigned /etc/services' works well) I would look between 5000 and 9999 so you are left with a four digit port and don't have to type 5 digits for the port. If you like typing, then just stay under 64,000. After you have found a port to use, then copy the lines for port 22, change the port to your desired port number and then comment out the port 22 lines: #ssh 22/tcp # SSH Remote Login Protocol dcr reassigned to 5129 #ssh 22/udp # SSH Remote Login Protocol #ssh 22/sctp # SSH ssh 5129/tcp # SSH Remote Login Protocol dcr reassigned from 22 ssh 5129/udp # SSH Remote Login Protocol ssh 5129/sctp # SSH When you move the port Then edit /etc/ssh/sshd_config and change the Port number: #Port 22 Port 5129 Then restart sshd, as root, rcsshd restart. You are ready to access your new ssh port with the port specified in the ssh command: ssh -p 5129 you@your.host.com Then all I had to do was update all my ssh aliases in .bashrc and the fact that ssh is now on a different port is completely transparent. Of course you have to change the port in you router as well. One show stopper for me would have been if the change caused difficulties with fish:// However, fish works just fine. All you need to do is add ':portnumber' to the end of the hostname like: fish://user@somehost.com:port/ or to eliminate the password promt (if your not using public/private keys) fish://user:pass@somehost.com:port/ Additional Information for rsync: For rsync to work with the alternate port, you must enclose the ssh command and desired port number in single quotes. Example: rsync -av -e 'ssh -p 5129' yoursite.com:~/tmp/somefile.doc tmp/ Works like a champ. And scp insists on a capital P for some reason: scp -P 5129 LOCAL_FILE REMOTE_FILE That's why I prefer to add this to ~/.ssh/config if one connects regularly to the remote system (or even to /etc/ssh/ssh_config, if more users on that system do that): Host yoursite.com Port 5129 You can/should also add "Compression yes" there, if the connection goes via Internet. And one can make nicknames for connections by specifying the nickname in the Host clause and adding a line with "HostName yoursite.com". If the remote system is on a dialup line with changing IP numbers and dynamic DNS, add "CheckHostIP no". Another important configuration clause is "User uid" if your uids differ from local to remote system, but that's one for the personal config file, not one for the system-wide one. Configurations are additive, i.e., one can have some in a wildcard section for a whole domain, some system-wide for a specific system, and some in the personal config file, like the User clause; they are all merged together. We have dozens of such configurations in our ssh config files... ;-) Afterwards, all ssh and scp connections (including those initiated by rsync) use that configuration, no need to specify the port with every call. -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.2, Kernel 2.6.31.12-0.2-desktop, KDE 4.3.5 Intel Core2 Quad Q9400 2.66GHz, 4GB DDR RAM, nVidia GeForce 9600GT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Bob Williams wrote:
On Thursday 10 Jun 2010 14:37:07 Otto Rodusek wrote:
Any other ideas I can try?
Why not change your ssh port from the default 22? Below are the instructions provided by David Rankin when I was being attacked through port 22. All quiet here now ;)
Moving SSH to a higher port number
To move ssh to a higher port on openSuSE, you need to edit two files:
1. /etc/services 2. /etc/ssh/sshd_config
First open /etc/services and find an "Unassigned" high port that you would like to use. ('grep Unassigned /etc/services' works well) I would look between 5000 and 9999 so you are left with a four digit port and don't have to type 5 digits for the port. If you like typing, then just stay under 64,000. After you have found a port to use, then copy the lines for port 22, change the port to your desired port number and then comment out the port 22 lines:
#ssh 22/tcp # SSH Remote Login Protocol dcr reassigned to 5129 #ssh 22/udp # SSH Remote Login Protocol #ssh 22/sctp # SSH ssh 5129/tcp # SSH Remote Login Protocol dcr reassigned from 22 ssh 5129/udp # SSH Remote Login Protocol ssh 5129/sctp # SSH When you move the port
Then edit /etc/ssh/sshd_config and change the Port number:
#Port 22 Port 5129
Then restart sshd, as root, rcsshd restart. You are ready to access your new ssh port with the port specified in the ssh command:
ssh -p 5129 you@your.host.com
Then all I had to do was update all my ssh aliases in .bashrc and the fact that ssh is now on a different port is completely transparent. Of course you have to change the port in you router as well. One show stopper for me would have been if the change caused difficulties with fish:// However, fish works just fine. All you need to do is add ':portnumber' to the end of the hostname like:
fish://user@somehost.com:port/
or to eliminate the password promt (if your not using public/private keys)
fish://user:pass@somehost.com:port/
Additional Information for rsync:
For rsync to work with the alternate port, you must enclose the ssh command and desired port number in single quotes. Example:
rsync -av -e 'ssh -p 5129' yoursite.com:~/tmp/somefile.doc tmp/
Works like a champ.
And scp insists on a capital P for some reason:
scp -P 5129 LOCAL_FILE REMOTE_FILE
That's why I prefer to add this to ~/.ssh/config if one connects regularly to the remote system (or even to /etc/ssh/ssh_config, if more users on that system do that):
Host yoursite.com Port 5129
You can/should also add "Compression yes" there, if the connection goes via Internet. And one can make nicknames for connections by specifying the nickname in the Host clause and adding a line with "HostName yoursite.com". If the remote system is on a dialup line with changing IP numbers and dynamic DNS, add "CheckHostIP no".
Another important configuration clause is "User uid" if your uids differ from local to remote system, but that's one for the personal config file, not one for the system-wide one. Configurations are additive, i.e., one can have some in a wildcard section for a whole domain, some system-wide for a specific system, and some in the personal config file, like the User clause; they are all merged together. We have dozens of such configurations in our ssh config files... ;-)
Afterwards, all ssh and scp connections (including those initiated by rsync) use that configuration, no need to specify the port with every call.
Hi Bob, Thanks for your feedback. I already have additional safeguards against attacks (I have a perl prog that monitors /var/log/messages & other logs and locks out perps). I've also changed ports. I'm just curious why iptables won't honor the: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" It's more a nagging issue than anything else. Again thanks for your feedback. Best regards. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Otto Rodusek wrote:
and locks out perps). I've also changed ports. I'm just curious why iptables won't honor the:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"
Interesting as in my systems it does honor. Which opensuse version are you running and do you see the xt_recent when you do "lsmod|grep" recent Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Togan Muftuoglu wrote:
Otto Rodusek wrote:
and locks out perps). I've also changed ports. I'm just curious why iptables won't honor the:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"
Interesting as in my systems it does honor. Which opensuse version are you running and do you see the xt_recent when you do "lsmod|grep" recent
Togan
Hi Togan, I'm running opensuse 11.2 as follows: bunyip:/usr/otto # uname -a Linux bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100 i686 i686 i386 GNU/Linux bunyip:/usr/otto # bunyip:/usr/otto # lsmod|grep recent xt_recent 9852 6 x_tables 19524 12 ip6t_LOG,xt_recent,xt_tcpudp,xt_pkttype,ipt_LOG,xt_limit,ip6t_REJECT,xt_NOTRACK,ipt_REJECT,xt_state,ip_tables,ip6_tables Not sure if this helps. Thanks. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
2010. június 9. 19:06 napon Otto Rodusek <otto@applied.com.sg> írta:
Hi ListMates,
I'm trying to resolve a problem with Susefirewall2 that I've had for some time and I'm hoping to get a resolution if possible. I'm trying this on a Dell Server T110 using opensuse linux 11.2 - uname: Linux bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100 i686 i686 i386 GNU/Linux.
I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more.
Hello: This is not an exact answer to your question but there is an article here which is related: http://www.novell.com/communities/node/8395/further-securing-opensuse-111-ag... Another one is here: http://en.opensuse.org/SSH_systematic_attack_protection Maybe you can use them. Istvan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Istvan Gabor wrote:
2010. június 9. 19:06 napon Otto Rodusek <otto@applied.com.sg> írta:
Hi ListMates,
I'm trying to resolve a problem with Susefirewall2 that I've had for some time and I'm hoping to get a resolution if possible. I'm trying this on a Dell Server T110 using opensuse linux 11.2 - uname: Linux bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100 i686 i686 i386 GNU/Linux.
I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more.
Hello:
This is not an exact answer to your question but there is an article here which is related: http://www.novell.com/communities/node/8395/further-securing-opensuse-111-ag...
Another one is here: http://en.opensuse.org/SSH_systematic_attack_protection
Maybe you can use them.
Istvan
Hi Istvan, Thanks for your feedback. I already have additional safeguards against attacks (I have a perl prog that monitors /var/log/messages & other logs and locks out perps). I'm just curious why iptables won't honor the: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" It's more a nagging issue than anything else. Again thanks for your feedback. Best regards. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
This ruleset is working for me. Maybe it is good for you as well. Regards Jörg iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 900 --hitcount 5 --name sshchk --rsource -j DROP iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --name sshchk --rsource -j DROP iptables -A INPUT -p tcp --dport 22 -m recent --set --name sshchk --rsource -j ACCEPT -----Original Message----- From: Otto Rodusek [mailto:otto@applied.com.sg] Sent: Mittwoch, 9. Juni 2010 19:07 To: suse Subject: [opensuse] Howto restrict number of sshd sessions per minute Hi ListMates, I'm trying to resolve a problem with Susefirewall2 that I've had for some time and I'm hoping to get a resolution if possible. I'm trying this on a Dell Server T110 using opensuse linux 11.2 - uname: Linux bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100 i686 i686 i386 GNU/Linux. I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more. I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"). If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds. I have installed a perl program to catch and firewall those culprits BUT I would still like to know why the above code doesn't seem to work. Have I forgotten to edit something else? Any help would be much appreciated. If it helps, below is the result of the iptables -L - maybe someone can spot something here? Again much thanks for any help in this area. bunyip:/etc/sysconfig # iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP all -- 60.210.8.234 anywhere DROP all -- 59.151.119.180 anywhere DROP all -- 61.160.249.80 anywhere DROP all -- 118.45.235.157 anywhere DROP all -- 210.51.191.232 anywhere DROP all -- pd95b8832.dip0.t-ipconnect.de anywhere DROP all -- 218.75.79.18 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:netbios-ns state RELATED ACCEPT gre -- anywhere anywhere LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ndmp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:scp-config flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:scp-config LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pptp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pptp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ni-ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ni-ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:smtp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:urd flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:urd LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpts:30000:30100 ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG level warning tcp-options ip-options prefix `SFW2-INext-DROPr ' DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: ssh side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain reject_func (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable bunyip:/etc/sysconfig # -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Bob Williams -
Carlos E. R. -
Istvan Gabor -
Otto Rodusek -
Rohrer, Joerg -
Togan Muftuoglu