[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Upgrading SLES9 Susefirewall2 to SuSE9.3



On Sat, 29 Jul 2006 10:18 am, John Andersen wrote:

> > > SLES9 is an enterprise class server, but SuseFirewall is a
> > > user class firewall tool.
> >
> > Susefirewall is not a user class firewall tool, sorry.
> 
> Oops, didn't mean to offend...
> 
> But it is missing too many features for production use
> in large shops in MY opinion, and configuration is sort
> of mysterious.
> 
> Those features it does have are sort of hard to figure out,
> but I do use it for workstations.

Largely I'm happy with Susefirewall2 (at least the 9.3 version)

A couple of things though:

How to get it to log to  /var/log/firewall
 instead of  /var/log/messages?
/var/log/mess gets much too messy

And I tried to get rate limiting on SSH connections working
 to cut the brute force SSH scanning,
 but this didn't work within Susefirewall2.

#
#       /etc/sysconfig/Susefirewall2-custom
#

##########################################
#       Rate limit brute force SSH attacks, rules by Andrew Pollock     
#
#                                                                       
#
#       http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks 
#
#-----------------------------------------------------------------------#

# First whitelist a few hosts
iptables -N SSH_WHITELIST
iptables -A SSH_WHITELIST -s    susejam.cbf.csiro.au
    -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s    bookreading.net
         -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s    alianet.alia.org.au
     -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s    flat.alia.org.au
        -m recent --remove --name SSH -j ACCEPT

# Then implement the "recent" based filter
iptables -A INPUT -p tcp --dport 22
	 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22
	 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22
	 -m state --state NEW -m recent --update --seconds 300
	 --hitcount 6 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22
	 -m state --state NEW -m recent --update --seconds 3600
	 --hitcount 36 --rttl --name SSH -j DROP



-- 
Michael James                         michael.james@xxxxxxxx
System Administrator                    voice:  02 6246 5040
CSIRO Bioinformatics Facility             fax:  02 6246 5166

No matter how much you pay for software,
 you always get less than you hoped.
Unless you pay nothing, then you get more.

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here