-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2007-07-16 at 08:19 -0400, Richard Creighton wrote:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh"
in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3 attempts per 120s.
The log excerpt was despite a setting of:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh"
which is similar to your suggestion. I will modify the hitcount and blockseconds but I am curious why it didn't block *all* subsequent attempts from that IP for the 'blockseconds' value. If you look at the log, it is obvious that if any blocking is occuring, it is only blocking more attempts of the same name but I can't tell for sure if it is trying new names almost instantly after being blocked or what, but it is obvious the IP isn't being blocked.
It doesn't even look at login name: it only looks at connections attempts to a certain port, no matter what that port is for. And I think that blocks should be logged. At least, a previous version of this idea did so.
Even more effective can be running sshd on an unusual port, or installing something like "fail2ban"
I thought about an 'unusual port', but a port scanner would certainly find it as it found port 22.
Interestingly, most of these scans are done by scripts that don't really scan every port. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGm2XgtTMYHG2NR9URArFnAJwPPbzOStxa7Bi4r022i28DzU+VsACdEZuG F4wQvq0n0CnixI24sjkf7dY= =g6lC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org