Susefirewall limit connections

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Susefirewall limit connections

Otto Rodusek i6
Hi ListMates,

I have a large number of attacks on my customer's ports (10022, 5901,
5904) running OpenSuse 13.1 x64.

Basically I would like the firewall to allow no more than 5 attempts per
60 second period (or 1 attempt per 12 seconds), after which I would like
the firewall to PERMENANTLY LOCK out the attempting IP. I'm not sure
whether this can be done via the SuseFirewall or whether I need to write
a script to do it.

I have tried a couple methods with the following script BUT I still get
several (thousands) attempts in my firewall logs.

Any suggestions?

Thanks and best regards. Otto.

---------Start of bash script-----------
#!/bin/bash

#####command to use
IPT=/usr/sbin/iptables

#####Max connection in seconds
SECONDS=60

#####Max connections per IP
BLOCKCOUNT=5

#####default action can be DROP or REJECT
DACTION="DROP"

#####default port to monitor (if not input)
PORT=10022

if [ $# = 1 ]
then
   PORT=$1
fi

#####method 1
$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
--set --name rule${PORT}
$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
--update --name rule${PORT} \
      --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}

#####method 2
#$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set
#
#$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
--rcheck \
#     --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j REJECT
--reject-with icmp-port-unreachable

---------End of bash script-----------
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Susefirewall limit connections

Marcus Meissner
On Sun, Nov 16, 2014 at 11:38:17AM +0800, Otto Rodusek wrote:

> Hi ListMates,
>
> I have a large number of attacks on my customer's ports (10022,
> 5901, 5904) running OpenSuse 13.1 x64.
>
> Basically I would like the firewall to allow no more than 5 attempts
> per 60 second period (or 1 attempt per 12 seconds), after which I
> would like the firewall to PERMENANTLY LOCK out the attempting IP.
> I'm not sure whether this can be done via the SuseFirewall or
> whether I need to write a script to do it.
>
> I have tried a couple methods with the following script BUT I still
> get several (thousands) attempts in my firewall logs.
>
> Any suggestions?
>
> Thanks and best regards. Otto.

You already use the ipt_recent table rule ... Do not see where the issue
is, perhaps the default action is still triggered.

You can debug this with iptables -v -L and check the hitcount on the rules
on which trigger.

In SUSE firewall
remove ssh from FW_SERVICES_ACCEPT, readd it to:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh"

And instead of "22" and "ssh" you can use your ports and a logname, rules seperated by spaces.

Ciao, Marcus
 

> ---------Start of bash script-----------
> #!/bin/bash
>
> #####command to use
> IPT=/usr/sbin/iptables
>
> #####Max connection in seconds
> SECONDS=60
>
> #####Max connections per IP
> BLOCKCOUNT=5
>
> #####default action can be DROP or REJECT
> DACTION="DROP"
>
> #####default port to monitor (if not input)
> PORT=10022
>
> if [ $# = 1 ]
> then
>   PORT=$1
> fi
>
> #####method 1
> $IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
> --set --name rule${PORT}
> $IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
> --update --name rule${PORT} \
>      --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
>
> #####method 2
> #$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent --set
> #
> #$IPT -A INPUT -p tcp --dport ${PORT} -m state --state NEW -m recent
> --rcheck \
> #     --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j REJECT
> --reject-with icmp-port-unreachable
>
> ---------End of bash script-----------
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Susefirewall limit connections

Otto Rodusek i6
On 16/11/14 19:51, Marcus Meissner wrote:

> On Sun, Nov 16, 2014 at 11:38:17AM +0800, Otto Rodusek wrote:
>> Hi ListMates,
>>
>> I have a large number of attacks on my customer's ports (10022,
>> 5901, 5904) running OpenSuse 13.1 x64.
>>
>> Basically I would like the firewall to allow no more than 5 attempts
>> per 60 second period (or 1 attempt per 12 seconds), after which I
>> would like the firewall to PERMENANTLY LOCK out the attempting IP.
>> I'm not sure whether this can be done via the SuseFirewall or
>> whether I need to write a script to do it.
>>
>> I have tried a couple methods with the following script BUT I still
>> get several (thousands) attempts in my firewall logs.
>>
>> Any suggestions?
>>
>> Thanks and best regards. Otto.
> You already use the ipt_recent table rule ... Do not see where the issue
> is, perhaps the default action is still triggered.
>
> You can debug this with iptables -v -L and check the hitcount on the rules
> on which trigger.
>
> In SUSE firewall
> remove ssh from FW_SERVICES_ACCEPT, readd it to:
> FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh"
>
> And instead of "22" and "ssh" you can use your ports and a logname, rules seperated by spaces.
>
> Ciao, Marcus
>  
>
Hi Marcus,

Thanks for your feedback - I'll give that a try.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]