Bug 104602

Summary: Add support for ipt_recent to SUSEfirewall
Product: [openSUSE] openSUSE 10.2 Reporter: Christian Boltz <suse-beta>
Component: NetworkAssignee: Ludwig Nussel <lnussel>
Status: VERIFIED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Christian Boltz 2005-08-14 14:32:18 UTC 
Can you add support for ipt_recent to SUSEfirewall? 
It would be a great way to block SSH attacks. It possibly has other 
advantages, but blocking SSH attacks is the most prominent ;-) 
 
I'd suggest to have a port/max-packages-per-second pair in the configfile. 
 
(This enhancement request will have a similar effect than the one in #98374, 
but without adding another package.)
Comment 1 Ludwig Nussel 2005-08-16 15:37:27 UTC 
The module seems to be more versatile than it's name suggests. I'll investige 
whether it's worth integrating it. I fear it will be too complicated for the 
simple config file syntax of SuSEfirewall2.
Comment 2 Christian Boltz 2006-04-14 18:04:16 UTC 
What about a config option to limit the number of connections per port per IP?

    MAX_CONNECT_PER_MINUTE="ssh:4:300 pop3:10:60"
                            ^^^ ^ ^^^
                     port <--'  |  '---> block time (in seconds)
                                '--> allowed (new) connections per minute

I have seen many mailinglist posts where people do something like that using custom rules, so this currently seems to be the main usage of ipt_recent.

One example of the used custom rules:

fw_custom_after_antispoofing() {
    iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 300
--hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
    iptables -A input_ext -p tcp --dport 22 -m recent --update --seconds 300
--hitcount 4 --rttl --name SSH -j DROP
    iptables -A input_ext -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH -j ACCEPT
    true
}

I understand that SUSEfirewall probably can't support all features of ipt_recent - but why not support at least the most prominent ones? ;-)
Comment 3 Christian Boltz 2006-07-16 13:32:20 UTC 
Ping ;-)

Ludwig, what do you think about my suggestion from comment #2?
Comment 4 Ludwig Nussel 2006-07-17 07:57:17 UTC 
I'm not sure what's the best method to support this. We could either introduce a new variable or extend an existing one. Something like FW_SERVICES_ACCEPT_EXT="0/0,22,tcp,ipt_recent=4:300" or
FW_SERVICES_ACCEPT_EXT="0/0,22,tcp,hitcount=4,blockseconds=300"
Comment 5 Christian Boltz 2006-07-18 15:51:37 UTC 
(In reply to comment #4)
> FW_SERVICES_ACCEPT_EXT="0/0,22,tcp,hitcount=4,blockseconds=300"

This sounds like a good idea and is even better than introducing another config option somewhere[tm] in the config file :-)

However, I'm not really happy with the wording "hitcount" - it should reflect the meaning better: max. number of new connections per second.
What about "maxconnect"?

"blockseconds" sounds good, BTW.
Comment 6 Ludwig Nussel 2006-07-19 06:46:35 UTC 
the ipt_recent option is called --hitcount so it can't be that wrong :)
Comment 7 Christian Boltz 2006-07-19 11:08:59 UTC 
OK, that's a very good argument ;-)

Since this was the only thing I initially disliked in your idea
> FW_SERVICES_ACCEPT_EXT="0/0,22,tcp,hitcount=4,blockseconds=300"
feel free to implement this ;-)
Comment 8 Ludwig Nussel 2006-07-19 14:37:38 UTC 
done
Comment 9 Christian Boltz 2006-12-30 19:53:41 UTC 
Thanks!

VERIFIED in 10.2

For the records: the syntax differs to the example above. Working example  from /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.sysconfig:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"