Mailinglist Archive: opensuse-security (34 mails)

< Previous Next >
[opensuse-security] Susefirewall limit connections
Hi ListMates,

I have a large number of attacks on my customer's ports (10022, 5901, 5904) running OpenSuse 13.1 x64.

Basically I would like the firewall to allow no more than 5 attempts per 60 second period (or 1 attempt per 12 seconds), after which I would like the firewall to PERMENANTLY LOCK out the attempting IP. I'm not sure whether this can be done via the SuseFirewall or whether I need to write a script to do it.

I have tried a couple methods with the following script BUT I still get several (thousands) attempts in my firewall logs.

Any suggestions?

Thanks and best regards. Otto.

---------Start of bash script-----------
#!/bin/bash

#####command to use
IPT=/usr/sbin/iptables

#####Max connection in seconds
SECONDS=60

#####Max connections per IP
BLOCKCOUNT=5

#####default action can be DROP or REJECT
DACTION="DROP"

#####default port to monitor (if not input)
PORT=10022

if [ $# = 1 ]
then
PORT=$1
fi

#####method 1
$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set --name rule${PORT}
$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --update --name rule${PORT} \
--seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}

#####method 2
#$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set
#
#$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --rcheck \
# --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j REJECT --reject-with icmp-port-unreachable

---------End of bash script-----------
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups