[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SSH access refused for legitimate user under heavy load



Dear Carlos and Armin, thanks for your replies.

It turns out that the firewall is indeed configured to block some SSH requests:

> jobs:/home/pvgorp #  iptables -L | grep ssh
> LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp
> dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '

I guess I should increase that burst treshold.  Thanks for your help!

Note that I also searched /etc/sysconfig/scripts/SuSEfirewall2-custom
but that file did not contain the hitcount setting.

Kind regards,
Pieter Van Gorp

On Mon, Jun 8, 2009 at 12:16 AM, Carlos E. R.
<robin.listas@xxxxxxxxxxxxxx> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On Sunday, 2009-06-07 at 20:38 -0000, Armin Schoech wrote:
>
>
>>>  FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
>>>
>>>  which would have that effect of limiting to 3 attempts per minute.
>
> ...
>
>> -->  you could also try to issue "iptables -L" on the SSHD server machine. It lists all current iptables rules. On my machine with a fairly standard SuSE firewall (SuSE 10.3) if find these two lines:
>>
>> LOG        tcp  --  192.168.2.0/24       anywhere            limit: avg 3/min  burst 5 state NEW tcp dpt:22 LOG level warning tcp-options ip-options prefix  `SFW2-INext-ACC-TRUST '
>> ACCEPT     tcp  --  192.168.2.0/24       anywhere            state  NEW,RELATED,ESTABLISHED tcp dpt:22
>>
>> So there seems to be some kind of rate limiting active even if I did not intentionally configure it in "SuSEfirewall". Do you find similar rules on your server machine ?
>
> Before SUSE/Novell added the extended FW_SERVICES_ACCEPT_EXT syntax, there was another method to accomplish the same result. In the configuration file /etc/sysconfig/SuSEfirewall2 we changed this variable:
>
> FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
>
> and then we edited that custom file; I just looked my old configuration, and saw that in the function fw_custom_before_antispoofing() I had added this:
>
> iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
>
> The recipe was posted in this list some years ago.
>
> - -- Cheers,
>       Carlos E. R.
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx