[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SSH access refused for legitimate user under heavy load

Hash: SHA1

On Sunday, 2009-06-07 at 20:38 -0000, Armin Schoech wrote:


 which would have that effect of limiting to 3 attempts per minute.


--> you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines:

LOG        tcp  --       anywhere            limit: avg 3/min  burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix  `SFW2-INext-ACC-TRUST '
ACCEPT     tcp  --       anywhere            state  NEW,RELATED,ESTABLISHED tcp dpt:22

So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ?

Before SUSE/Novell added the extended FW_SERVICES_ACCEPT_EXT syntax, there was another method to accomplish the same result. In the configuration file /etc/sysconfig/SuSEfirewall2 we changed this variable:


and then we edited that custom file; I just looked my old configuration, and saw that in the function fw_custom_before_antispoofing() I had added this:

iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT

The recipe was posted in this list some years ago.

- -- Cheers,
       Carlos E. R.
Version: GnuPG v2.0.9 (GNU/Linux)

To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx