Advanced firewall configuration - Suse

This is a discussion on Advanced firewall configuration - Suse ; Running a ssh server I would like to make things a little harder for the little buggers out there. Something like e.g. iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m \ limit --limit 1/minute --limit-burst ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Advanced firewall configuration

  1. Advanced firewall configuration

    Running a ssh server I would like to make things a little harder for the
    little buggers out there. Something like e.g.

    iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m \
    limit --limit 1/minute --limit-burst 2 -j ACCEPT
    iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j \
    REJECT --reject-with tcp-reset

    which rejects connections for a minute after the second try.

    However, with the SuSE firewall script setting up iptables it is not
    obvious to me how I can accomplish this. /etc/sysconfig/SuSEfirewall2
    and it's documentaion seems not to help too much. Any hints are
    appreciated.

    GŁnther

  2. Re: Advanced firewall configuration

    G√ľnther Schwarz wrote:

    > Running a ssh server I would like to make things a little harder for the
    > little buggers out there. Something like e.g.
    >
    > iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m \
    > limit --limit 1/minute --limit-burst 2 -j ACCEPT
    > iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j \
    > REJECT --reject-with tcp-reset
    >
    > which rejects connections for a minute after the second try.
    >
    > However, with the SuSE firewall script setting up iptables it is not
    > obvious to me how I can accomplish this. /etc/sysconfig/SuSEfirewall2
    > and it's documentaion seems not to help too much. Any hints are
    > appreciated.


    I don't know much about how the SuSE firewall itself works, but looking
    at /etc/sysconfig/SuSEfirewall2, I notice (about 80% of the way down the
    file) the following:

    # Do you want to load customary rules from a file?
    #
    # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
    # READ THE EXAMPLE CUSTOMARY FILE
    AT /etc/sysconfig/scripts/SuSEfirewall2-custom
    #
    #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
    FW_CUSTOMRULES=""


    So why not try commenting out the last line and uncommenting the
    last-but-one and putting your rules in the SuSEfirewall2-custom file? Seems
    to me all you need to do is decide which section to put them in.

    --
    Garry Knight
    garryknight@gmx.net


  3. Re: Advanced firewall configuration

    Garry Knight wrote:

    > G√ľnther Schwarz wrote:
    >
    >> Running a ssh server I would like to make things a little harder for
    >> the little buggers out there. Something like e.g.
    >>
    >> iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m \
    >> limit --limit 1/minute --limit-burst 2 -j ACCEPT
    >> iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j \
    >> REJECT --reject-with tcp-reset
    >>
    >> which rejects connections for a minute after the second try.
    >>
    >> However, with the SuSE firewall script setting up iptables it is not
    >> obvious to me how I can accomplish this. /etc/sysconfig/SuSEfirewall2
    >> and it's documentaion seems not to help too much. Any hints are
    >> appreciated.

    >
    > I don't know much about how the SuSE firewall itself works, but
    > looking at /etc/sysconfig/SuSEfirewall2, I notice (about 80% of the
    > way down the file) the following:
    >
    > # Do you want to load customary rules from a file?
    > #
    > # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
    > # READ THE EXAMPLE CUSTOMARY FILE
    > AT /etc/sysconfig/scripts/SuSEfirewall2-custom
    > #
    > #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
    > FW_CUSTOMRULES=""
    >
    >
    > So why not try commenting out the last line and uncommenting the
    > last-but-one and putting your rules in the SuSEfirewall2-custom file?


    Thanks, I did not notice this. The example file is not of much use as it
    is just another collection of variable definitions.

    > Seems to me all you need to do is decide which section to put them in.


    Which won't work without analyzing the script /sbin/SuSEfirewall2 itself
    further. Not a very pleasant option. Might well be best not to touch it
    at all and appending the two rules above after the SuSE script has been
    run.

    Inserting in the INPUT chain on the very front before the first
    bifurcation instead of appending it seems to be promising and works on
    a test system. But I'm hesitating to implement this on the ssh server
    which has a rather complex setup including various subchains for input
    and output as well as rules for routing and such. It might also result
    in some performance penalty.

    G√ľnther

  4. Re: Advanced firewall configuration

    GŁnther Schwarz wrote:
    >>> Running a ssh server I would like to make things a little harder for
    >>> the little buggers out there. Something like e.g.
    >>>
    >>> iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m \
    >>> limit --limit 1/minute --limit-burst 2 -j ACCEPT
    >>> iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j \
    >>> REJECT --reject-with tcp-reset


    You could use the following in SuSEfirewall2 on openSUSE 10.3:

    FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"

    Read the comment to find what you can do with it. It will reject any ssh
    connection above 3 per minute. Now I normaly do not have more than 4
    entries in the firewall and the sshd log.

    --
    Freek

  5. Re: Advanced firewall configuration

    Freek wrote:

    > GŁnther Schwarz wrote:
    >>>> Running a ssh server I would like to make things a little harder
    >>>> for the little buggers out there. Something like e.g.
    >>>>
    >>>> iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m \
    >>>> limit --limit 1/minute --limit-burst 2 -j ACCEPT
    >>>> iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j \
    >>>> REJECT --reject-with tcp-reset

    >
    > You could use the following in SuSEfirewall2 on openSUSE 10.3:
    >
    >

    FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"
    >
    > Read the comment to find what you can do with it. It will reject any
    > ssh connection above 3 per minute. Now I normaly do not have more than
    > 4 entries in the firewall and the sshd log.


    Excellent, just was I was looking for. Most unfortunately the system in
    question runs SLES9, and I have not plans for upgrading in the
    foreseeable future. Finally that's what long-term support is for.

    But I do have a openSuSE 10.3 at hand for testing, so let's see what the
    variable does:

    Chain input_ext (2 references)
    ACCEPT tcp -- anywhere anywhere tcp dpt:22
    LOG tcp -- anywhere anywhere limit: avg
    3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60 hit_count:
    3 name: ssh side: source LOG level warning tcp-options ip-options
    prefix `SFW2-INext-DROPr '
    DROP tcp -- anywhere anywhere tcp dpt:22
    state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: ssh
    side: source
    ACCEPT tcp -- anywhere anywhere tcp dpt:22
    state NEW recent: SET name: ssh side: source
    ACCEPT tcp -- anywhere anywhere tcp dpt:22

    Without the option set I find just:
    ACCEPT tcp -- anywhere anywhere tcp dpt:22

    Seems to be fairly safe to include the two additional rules by hand in
    the server's iptables.

    GŁnther

  6. Re: Advanced firewall configuration

    GŁnther Schwarz wrote:

    > Freek wrote:
    >
    >> GŁnther Schwarz wrote:
    >>>>> Running a ssh server I would like to make things a little harder
    >>>>> for the little buggers out there. Something like e.g.
    >>>>>
    >>>>> iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m
    >>>>> \ limit --limit 1/minute --limit-burst 2 -j ACCEPT
    >>>>> iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j
    >>>>> \ REJECT --reject-with tcp-reset

    >>
    >> You could use the following in SuSEfirewall2 on openSUSE 10.3:
    >>
    >>

    >

    FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"
    >>
    >> Read the comment to find what you can do with it. It will reject any
    >> ssh connection above 3 per minute. Now I normaly do not have more
    >> than 4 entries in the firewall and the sshd log.

    >
    > Excellent, just was I was looking for. Most unfortunately the system
    > in question runs SLES9, and I have not plans for upgrading in the
    > foreseeable future. Finally that's what long-term support is for.
    >
    > But I do have a openSuSE 10.3 at hand for testing, so let's see what
    > the variable does:
    >
    > Chain input_ext (2 references)
    > ACCEPT tcp -- anywhere anywhere tcp
    > dpt:22
    > LOG tcp -- anywhere anywhere limit:
    > avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60
    > hit_count: 3 name: ssh side: source LOG level warning tcp-options
    > ip-options prefix `SFW2-INext-DROPr '
    > DROP tcp -- anywhere anywhere tcp
    > dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match
    > name: ssh side: source
    > ACCEPT tcp -- anywhere anywhere tcp
    > dpt:22 state NEW recent: SET name: ssh side: source
    > ACCEPT tcp -- anywhere anywhere tcp
    > dpt:22
    >
    > Without the option set I find just:
    > ACCEPT tcp -- anywhere anywhere tcp
    > dpt:22
    >
    > Seems to be fairly safe to include the two additional rules by hand in
    > the server's iptables.


    So this what I added to the ssh server's input_ext chain:

    21 ACCEPT tcp -- anywhere anywhere state
    NEW tcp dpt:ssh flags:SYN,RST,ACK/SYN limit: avg 1/min burst 2
    22 DROP tcp -- anywhere anywhere state
    NEW tcp dpt:ssh flags:SYN,RST,ACK/SYN

    Seems to discourage scripts quite nicely [1] while legitimate users did
    not complain yet. Changes will get lost if the SuSE firewall script
    runs again. But that does not occur so often.

    [1] One of the last unwanted visits was from a Taiwanese girls high
    school :-) But like everybody else so far the girls gave up after the
    second try.

    GŁnther

+ Reply to Thread