John Andersen wrote: > On Tuesday 17 July 2007, Richard Creighton wrote: > > But if the logging shows up prefixed with sshd as yours does: > Jul 17 00:38:27 raid5 sshd > Then you can be assured that the connection attempt DID get > to the ssh daemon, and was NOT dropped. If it was dropped > the sshd would never see these packets. > > I suspect you will have to restart iptables somehow, if not by > reboot then by iptables commands. (Shorewall does this > for me so I don't know the base level syntax). > I did and all hell broke loose....There were error messages during the system reboot that said that ....well, here is the pertinent line:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. SuSEfirewall2: Error: unknown parameter name=ssh in FW_SERVICES_ACCEPT_EXT -> 0/0,tcp,22,,hitcount=3,blockseconds=120,name=ssh <snip> > The only significant difference I see is my name: SSHA is unique, not any > common name such as ssh. Your badssh should have worked. > Since then, I manually added the following to the IPTABLES bypassing SUSEFIREWALL2; > iptables -A FORWARD -p tcp -i eth0 --dport 22 -m recent --name badssh --set > -j DROP > iptables -A FORWARD -m recent --name badssh --update --hitcount 3 --seconds > 60 -j DROP Which gave an 'iptables -L' of; > Chain FORWARD (policy DROP) > target prot opt source destination > LOG 0 -- anywhere anywhere limit: avg 3/min > burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING > ' > DROP tcp -- anywhere anywhere tcp dpt:ssh > recent: SET name: badssh side: source > DROP 0 -- anywhere anywhere recent: UPDATE > seconds: 60 hit_count: 3 name: badssh side: source which looks like it made i to the IPTABLES.... however, as I type this, my entire LAN is under attack, including this machine with a concerted sshd dictionary attack Jul 17 16:04:56 raid5 sshd[7401]: Invalid user admin from 61.145.119.180 Jul 17 16:05:02 raid5 sshd[7403]: Invalid user admin from 61.145.119.180 Jul 17 16:05:06 raid5 sshd[7405]: Invalid user admin from 61.145.119.180 Jul 17 16:05:08 raid5 sshd[7407]: Invalid user admin from 61.145.119.180 Jul 17 16:05:11 raid5 sshd[7409]: Invalid user admin from 61.145.119.180 Jul 17 16:05:14 raid5 sshd[7411]: Invalid user admin from 61.145.119.180 Jul 17 16:05:17 raid5 sshd[7413]: Invalid user admin from 61.145.119.180 Jul 17 16:05:20 raid5 sshd[7415]: Invalid user admin from 61.145.119.180 Jul 17 16:05:23 raid5 sshd[7418]: Invalid user admin from 61.145.119.180 Jul 17 16:05:26 raid5 sshd[7420]: Invalid user admin from 61.145.119.180 Jul 17 16:05:29 raid5 sshd[7422]: Invalid user admin from 61.145.119.180 Jul 17 16:05:31 raid5 sshd[7425]: Invalid user admin from 61.145.119.180 Jul 17 16:05:34 raid5 sshd[7428]: Invalid user admin from 61.145.119.180 Jul 17 16:05:37 raid5 sshd[7430]: Invalid user admin from 61.145.119.180 and going through zzzz. So, for some reason even though it would appear that IPTABLES is *supposed* to be dropping packets, I still don't have the magic incantation yet. Maybe I am putting it in the wrong place? Help!!!! Richard -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
