Re: [opensuse] dictionary attacks

Tue, 17 Jul 2007 13:31:57 -0700 

On Tuesday 17 July 2007, Richard Creighton wrote:
> 
> John Andersen wrote:
> > On Tuesday 17 July 2007, Richard Creighton wrote:
> > 
> > But if the logging shows up prefixed with sshd as yours does:
> >  Jul 17 00:38:27 raid5 sshd
> > Then you can be assured that the connection attempt DID get
> > to the ssh daemon, and was NOT dropped. If it was dropped
> > the sshd would never see these packets.
> > 
> > I suspect you will have to restart iptables somehow, if not by
> > reboot then by iptables commands.  (Shorewall does this
> > for me so I don't know the base level syntax).
> > 
> I did and all hell  broke loose....There were error messages during the
> system reboot  that said that ....well, here is the pertinent line:
> 
> Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning:
> ip6tables does not support state matching. Extended IPv6 support disabled.
> SuSEfirewall2: Error: unknown parameter name=ssh in
> FW_SERVICES_ACCEPT_EXT -> 0/0,tcp,22,,hitcount=3,blockseconds=120,name=ssh
> 
> 
> 
> <snip>
> 
> > The only significant difference I see is my name: SSHA  is unique, not any
> > common name such as ssh.  Your badssh should have worked.
> > 
> 
> 
> Since then, I manually added the following to the IPTABLES bypassing
> SUSEFIREWALL2;
> 
> > iptables -A FORWARD -p tcp -i eth0 --dport 22 -m recent --name badssh --set 
> > -j DROP
> > iptables -A FORWARD -m recent --name badssh --update --hitcount 3  
> > --seconds 60 -j DROP
> 
> Which gave an 'iptables -L' of;
> 
> > Chain FORWARD (policy DROP)
> > target     prot opt source               destination
> > LOG        0    --  anywhere             anywhere            limit: avg 
> > 3/min burst 5 LOG level warning tcp-options ip-options prefix 
> > `SFW2-FWD-ILL-ROUTING '
> > DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh 
> > recent: SET name: badssh side: source
> > DROP       0    --  anywhere             anywhere            recent: UPDATE 
> > seconds: 60 hit_count: 3 name: badssh side: source

Does it make sense to put this in the forward chain?
Thats way too late, they have already been seen by the daemon running in THIS 
machine.

If you are going to drop these you want it in the input chain.

In my setup (configured by shorewall) 
The INPUT chain references an eth0-In chain
   The ETH0-In chain references a chain named net2fw  
      and Net2fw references a chain named %Limit which defines the rate limit.

So effectively rate limit is done on the INPUT chain.  


-- 
_____________________________________
John Andersen

Attachment: pgp3utii2tK9H.pgp
Description: PGP signature

Reply via email to