[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SuSefirewall - protect sshd



Ludwig Nussel wrote:
> Otto Rodusek (AP-SGP) wrote:
>   
>> Ludwig Nussel wrote:
>>     
>>> Otto Rodusek (AP-SGP) wrote:
>>>
>>> Check the output of
>>>
>>> SuSEfirewall2 status
>>>
>>>       
>> I did as you requested and got LOTS of output (i've attached it here in
>> gz format - hope I didn't break any netiquette) but I'm not sure what to
>> look for!!?? Sorry, I'm not to expert in iptables!! Thanks and rgds. Otto.
>>     
>
> There are lots and lots of drop rules for invididual IP addresses in the INPUT
> chain. Then a drop rule that unconditionally drops everything follows. So in
> theory you won't receive any traffic. Where do does that come from? Looks like
> some script running out of control.
>
> eth1 is your internal interface and eth0 the external one. Most traffic is on
> the internal one.
>
> You have FW_SERVICES_EXT_TCP=22 and FW_SERVICES_ACCEPT_EXT also set. Since
> rules for FW_SERVICES_EXT_TCP are installed first the latter rules never match.
> => Remove ports from FW_SERVICES_EXT_TCP that are also covered by
> FW_SERVICES_ACCEPT_EXT.
>
> cu
> Ludwig
>   
Hi Ludwig,

Thanks for your followup and explanation - I have removed port 22 on the
line with FW_SERVICES_EXT_TCP=22 (which comes well before the next code
and set up FW_SERVICES_ACCEPT_EXT as per the doc - so will monitor to
see if I now get 3 sshd logins per 60 seconds from same ip.

Yes, you are correct - eth0 is my external and eth1 is the internal. The
numerous drops are a result of a perl script I run that (tails the log
file) and sets an ip rule for "not allowed logins" after 3 chances - so
that part is correct. I am in the process of changing that part of the
perl code to instead write to hosts.deny to simplify the iptables.

Again much thanks for your helpful hints. Best regards. Otto.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx