[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SuSefirewall - protect sshd

Ludwig Nussel wrote:
> Otto Rodusek (AP-SGP) wrote:
>> Ludwig Nussel wrote:
>>> Otto Rodusek (AP-SGP) wrote:
>>> Check the output of
>>> SuSEfirewall2 status
>> I did as you requested and got LOTS of output (i've attached it here in
>> gz format - hope I didn't break any netiquette) but I'm not sure what to
>> look for!!?? Sorry, I'm not to expert in iptables!! Thanks and rgds. Otto.
> There are lots and lots of drop rules for invididual IP addresses in the INPUT
> chain. Then a drop rule that unconditionally drops everything follows. So in
> theory you won't receive any traffic. Where do does that come from? Looks like
> some script running out of control.
> eth1 is your internal interface and eth0 the external one. Most traffic is on
> the internal one.
> You have FW_SERVICES_EXT_TCP=22 and FW_SERVICES_ACCEPT_EXT also set. Since
> rules for FW_SERVICES_EXT_TCP are installed first the latter rules never match.
> => Remove ports from FW_SERVICES_EXT_TCP that are also covered by
> cu
> Ludwig
Hi Ludwig,

Thanks for your followup and explanation - I have removed port 22 on the
line with FW_SERVICES_EXT_TCP=22 (which comes well before the next code
and set up FW_SERVICES_ACCEPT_EXT as per the doc - so will monitor to
see if I now get 3 sshd logins per 60 seconds from same ip.

Yes, you are correct - eth0 is my external and eth1 is the internal. The
numerous drops are a result of a perl script I run that (tails the log
file) and sets an ip rule for "not allowed logins" after 3 chances - so
that part is correct. I am in the process of changing that part of the
perl code to instead write to hosts.deny to simplify the iptables.

Again much thanks for your helpful hints. Best regards. Otto.
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx