Mailinglist Archive: opensuse-security (34 mails)

< Previous Next >
Re: [opensuse-security] Susefirewall limit connections
On 16/11/14 19:51, Marcus Meissner wrote:
On Sun, Nov 16, 2014 at 11:38:17AM +0800, Otto Rodusek wrote:
Hi ListMates,

I have a large number of attacks on my customer's ports (10022,
5901, 5904) running OpenSuse 13.1 x64.

Basically I would like the firewall to allow no more than 5 attempts
per 60 second period (or 1 attempt per 12 seconds), after which I
would like the firewall to PERMENANTLY LOCK out the attempting IP.
I'm not sure whether this can be done via the SuseFirewall or
whether I need to write a script to do it.

I have tried a couple methods with the following script BUT I still
get several (thousands) attempts in my firewall logs.

Any suggestions?

Thanks and best regards. Otto.
You already use the ipt_recent table rule ... Do not see where the issue
is, perhaps the default action is still triggered.

You can debug this with iptables -v -L and check the hitcount on the rules
on which trigger.

In SUSE firewall
remove ssh from FW_SERVICES_ACCEPT, readd it to:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh"

And instead of "22" and "ssh" you can use your ports and a logname, rules
seperated by spaces.

Ciao, Marcus

Hi Marcus,

Thanks for your feedback - I'll give that a try.
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >