[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SSH access refused for legitimate user under heavy load



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sunday, 2009-06-07 at 20:38 -0000, Armin Schoech wrote:


 FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

 which would have that effect of limiting to 3 attempts per minute.

...

--> you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines:

LOG        tcp  --  192.168.2.0/24       anywhere            limit: avg 3/min  burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix  `SFW2-INext-ACC-TRUST '
ACCEPT     tcp  --  192.168.2.0/24       anywhere            state  NEW,RELATED,ESTABLISHED tcp dpt:22

So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ?

Before SUSE/Novell added the extended FW_SERVICES_ACCEPT_EXT syntax, there was another method to accomplish the same result. In the configuration file /etc/sysconfig/SuSEfirewall2 we changed this variable:

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

and then we edited that custom file; I just looked my old configuration, and saw that in the function fw_custom_before_antispoofing() I had added this:

iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT

The recipe was posted in this list some years ago.

- -- Cheers,
       Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkosPEYACgkQtTMYHG2NR9X8eQCgix2A08mAYxJXra2Mf5OwGOZK
5EUAnjc4zMHxID+u4RPu+KP+Roh/kIXW
=6f6B
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx