Patrick Shanahan wrote: > * Benji Weber <[EMAIL PROTECTED]> [07-16-07 05:04]: >> set the following line >> >> FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh" >> >> in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3 >> attempts per 120s. > > This works *very* well, even better than fail2ban, imo. Is there a > similar line that will effect the same on postifx attempts rather than > using fail2ban? >
Turns out that I have spent the morning trying to figure out why on my machine that didn't work at all. I perused the iptables -L and found the order of the rules produced by susefirewall2 is wrong IF you open the ssh port using the sysconfig editor OR the YAST2 firewall configururation Allowed Services advanced TCP ports external. It puts dpt:22 as ACCPT BEFORE the rule produced by the line shown above so that rule never gets executed. The solution is to go back into the sysconfig editor or YAST2 and remove the ssh port and then the above line and resultant rule becomes activated and works. It really isn't better than fail2ban in that it works at the same level, ie, at the firewall and the rule produced by fail2ban is the first rule examined and what I like, it is logged so I can easily produce a report to send a report to the offending site (that might not even know they have the worm) and suggest they clean house. As to your second question, I think if you were to examine the output of iptables -L and find the 2 (I believe) lines that make up the rules that make the above line function, you could change the dpt:22 to the port you need to monitor and add it manually. I've not seen anyplace in the GUI that has a place to do it. Assuming of course that you don't want to use fail2ban :) Richard -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
