Patrick Shanahan wrote: > * Richard Creighton <[EMAIL PROTECTED]> [07-17-07 16:09]: >> Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: >> ip6tables does not support state matching. Extended IPv6 support disabled. >> SuSEfirewall2: Error: unknown parameter name=ssh in >> FW_SERVICES_ACCEPT_EXT -> 0/0,tcp,22,,hitcount=3,blockseconds=120,name=ssh > > yes, the line is wrong :^( > > FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh" > >
Patrick, Thank you very much....Obviously despite everything, I must have fat-fingered something somewhere. After a cut and paste session PLUS a system reboot (something I very rarely do in Linux), I ended up with: LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 120 hit_count: 3 name: badssh side : source LOG level warning tcp-options ip-options prefix `SFW2-INext-DROPr ' DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 120 hit_count: 3 TTL-Match name: badssh side: source LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INe xt-ACC ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: badssh side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Which seems to be actually *in* the iptables -L. Now, if that SOB from China would just return and start his attack over again...he hit me from a to zzzzz a little while ago but only managed to fill my log on all my machines. If this works, my log files will lose a lot of weight I suspect. Oh...I inserted the word 'bad' in front of ssh to be better able to see it if it appeared in the iptables...which it did.... Richard PS Thanks to all that have endured this thread and to all that have contributed their ideas. BTW, I did install 'fail2ban' and it did execute but it never caught any attacks...so obviously I screwed up in configuration somehow even though I pointed the thing to the syslog-ng file as input, etc but it never reported either an error or an attack. I expect stupidity on my part is the biggest problem. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
