Re: Need for new openSUSE users

houghi wrote:
First and formost, could tell me what the hell you are replying to? I
have no idea if you are posting a new post or if this is a reply to
whatever.

Your initial post starting the thread:

Message-ID: <slrngcgh5k.1b0.houghi@xxxxxxxxxxxx>

was that to which I replied.

Note the headers in my reply, particularly the In-Reply-To, References, and Subject headers:

Path: uni-berlin.de!individual.net!not-for-mail
From: Gary Gapinski <usenet@xxxxxxxxxxxxxxxx>
Newsgroups: alt.os.linux.suse
Subject: Re: Need for new openSUSE users
Date: Thu, 11 Sep 2008 12:56:32 -0400
Organization: We've heard of it
Lines: 5
Message-ID: <6it0tlFdgueU1@xxxxxxxxxxxxxxxxxx>
References: <slrngcgh5k.1b0.houghi@xxxxxxxxxxxx>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net S2zrQtHZzNA4iG1VYoQsKQbbG9k/ExIEvQAD/eEqxlOpVBXlfi
Cancel-Lock: sha1:URagHPeDp/l3Q1ktRxmGPzbf0X8=
User-Agent: Thunderbird 2.0.0.14 (X11/20080421)
In-Reply-To: <slrngcgh5k.1b0.houghi@xxxxxxxxxxxx>
Xref: uni-berlin.de alt.os.linux.suse:295128

Perhaps your news reader (slrn?) does not thread properly? My reply, its referent, and your rejoinder, look properly threaded in my news reader (Thunderbird). Perhaps worthy of note, this message is in reply to Message-ID: <slrngcilf8.372.houghi@xxxxxxxxxxxx>, which contained the References but not the In-Reply-To header.

I believe http://tools.ietf.org/html/rfc2076#section-3.6 is pertinent here, and in turn http://tools.ietf.org/html/rfc822#section-4.6.2.



Secondly, if you think it is a good idea, please elaborate. I looked at
those lines and I saw niothing that had anything to do with what this
tread is talking about.

SuSEfirewall2 now allows an easy way to specify rate limiting for arbitrary protocols. Rather than bolting on some additional software, one may wish to try specifying (e.g., for ssh) that rate limiting is to be applied by modifying the /etc/sysconfig/SuSEfirewall2 configuration file.

One can, for example, observe line 416 and then change line 422 to read

FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

which will cause SSH TCP connect attempts (TCP SYNs to port 22), originating anywhere, in excess of 3 within the prior 60 seconds, to be dropped. This works quite well against brute force attacks.

Due to a shortcoming in the script, I think that ssh should _not_ also appear in FW_CONFIGURATIONS_EXT.

Lines 414-422 are, at least on my openSUSE v11 system, as follows:

# Example:
# Allow max three ssh connects per minute from the same IP address:
# "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
FW_SERVICES_ACCEPT_EXT=""

which, while perhaps less than totally obvious, seems as well not entirely devoid of information.


Thridly, this thread is not about securing ssh or re-configuring ssh. It
could just as well be about ftp or any other login service.

The thread, which you started, seemed to address blocking unwanted network connections, using ssh as an example. Rate limiting based on iptables' "recent" capability seemed pertinent, and protocol agnostic, particularly since Herr Nussel has been kind enough to make it very easily configurable using the standard openSUSE firewall (see http://archive.cert.uni-stuttgart.de/suse-security/2008/03/msg00005.html for more context).
.

Relevant Pages

  • [NEWS] SSH Protocol Weakness Vulnerability (MITM)
    ... A weakness in the backward compatibility of the SSH Protocol has been ... SSH version 1.0) is unlikely to have the host key for the other protocol ... The SSH daemons advertise one of two major versions, ...
    (Securiteam)
  • Re: [opensuse] cat: write error: Broken pipe
    ... Subject: [opensuse] cat: write error: Broken pipe ... I have to "rcnetwork restart" after exiting yast. ... The only times I connect via serial console are for remote installs, ... No such problem via ssh or the vga console. ...
    (SuSE)
  • SUMMARY: SSH 2.5.2p2 on Tru64 4.0g
    ... SSH is very particular about the permissions on the $HOME/.ssh ... Always pay particular attention the the ssh SERVERs protocol usage. ... when only using the identity.pub or rsa key. ... file on the remote host to reflect the host name without domain that was ...
    (Tru64-UNIX-Managers)
  • Re: [opensuse] On cleaning /tmp/systemd-private-*
    ... I see other 'junk' created in my /tmp from things like ssh, adobe, ... Once again openSuse is being conservative by having the default behave the old way, /tmp being on disk, rather than the 'new' way of making it a tmpfs. ... So complain, yes, but complain about the right thing, which is that openSuse is too conservative for YOUR tastes. ... If the answer to that is "yes" then Andrea can add that repository and update systemd and LO! ...
    (SuSE)
  • Re: SOCKS 5 protocol & sysadmin
    ... bypassing proxy settings using SOCKS 5 protocol? ... example SSH he can tunnel almost any TCP protocol into it and you will ... By the way, Even without SSH access, Any other opened port can be used ...
    (comp.os.linux.security)