[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SSH access refused for legitimate user under heavy load



Hello,

Then you can look at
/etc/sysconfig/SuSEfirewall2
config file in the "FW_SERVICES_ACCEPT_EXT" section.
The hitcount/blockseconds identifiers do not occur in this file...

Not been able to look at the post you are replying to, as it was a private
mail, I assume he told you to look at an entry like this:

FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

which would have that effect of limiting to 3 attempts per minute.


Should I investigate other paths than the firewall?  Any clues?

Search for ssh related entries en /var/log/messages. Like:

May 2 14:48:04 nimrodel sshd[24255]: Accepted publickey for cer from ::1 port 24897 ssh2

You could see a reject. You can also increase verbosity in the sshd log.

--> you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines:

LOG tcp -- 192.168.2.0/24 anywhere limit: avg 3/min burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TRUST ' ACCEPT tcp -- 192.168.2.0/24 anywhere state NEW,RELATED,ESTABLISHED tcp dpt:22

So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ?

HTH,

Armin



Dr. Armin Schoech
Carl-Zeiss-Strasse 33/1
D-89551 Koenigsbronn / GERMANY
WWW: http://armin.schoech.de/
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx