Results 1 to 4 of 4

Thread: SuSEfirewall2: two questions

  1. #1
    Join Date
    Dec 2008
    Location
    Between keyboard and chair
    Posts
    96

    Default SuSEfirewall2: two questions

    Hello all,

    I'm looking at hardening my SuSEfirewall2 (on openSUSE 13.1) a bit more. Two of the things I am thinking about are:
    1. rate-lmiting of traffic to available services (for instance ssh but also apache)
    2. introducing an automated way of updating firewall rules to ward off attackers


    Regarding number 1, I understand that services can drop ready-made configuration files in /etc/sysconfig/SuSEfirewall2.d/services. These contain the necessary ports to open to the outside world, etc. For instance, if you look at the file for the sshd service, this is included:
    Code:
    ## Name: Secure Shell Server
    ## Description: Open ports for Secure Shell Server
    
    # space separated list of allowed TCP ports
    TCP="ssh"
    Nothing exciting there. I also understand that in these config files, you can include little else but the ports required for the service to function. So say I want to use rate-limiting, how would I go about configuring that, if I can't use the service file for sshd?

    Regarding number 2, I am not specifically looking for a how-to, just curious if there are people who have implemented such a feature and if so, with what kind of tool? I've been hearing good things about AFP, in combination with BFD, both from R-fx Networks. However, this would require removing the SuSEfirewall.

    I'm very interested in your experiences/thoughts about this.

  2. #2

    Default Re: SuSEfirewall2: two questions

    Haven't tried this before, but my guess is that you just need to add your
    own custom scripts and then call them from something like what is
    described here in the /etc/sysconfig/SuSEfirewall2 file:

    Code:
    --------------------
    # Do you want to load customary rules from a file?
    #
    # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
    # READ THE EXAMPLE CUSTOMARY FILE AT
    /etc/sysconfig/scripts/SuSEfirewall2-custom
    #
    #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
    FW_CUSTOMRULES=""
    --------------------

    In summary, fill in the custom rules file as shown above, and then in that
    file you can put whatever extra rules you'd like and I think those "rules"
    are basically iptables commands. Should be easy to test/verify. From
    there your own code that wants to rate limit things needs to add the
    rate-limiting rules into that file, or if that file is treated as a shell
    script perhaps have it source files from a directory and then your own
    code could drop service-specific rate-limiting files in some directory.
    The options seem pretty open, though again, I haven't tried your scenario.

    > Regarding number 2, I am not specifically looking for a how-to, just
    > curious if there are people who have implemented such a feature and if
    > so, with what kind of tool? I've been hearing good things about AFP, in
    > combination with BFD, both from 'R-fx Networks' (https://www.rfxn.com/).
    > However, this would require removing the SuSEfirewall.


    I think this is basically what fail2ban is supposed to do. So many
    failures happen, and then the system blocks more agressively. Google for
    it, or search several other posts in these forums for the same.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: SuSEfirewall2: two questions

    On 2014-04-03 16:06, joopberis wrote:
    >
    > Hello all,
    >
    > I'm looking at hardening my SuSEfirewall2 (on openSUSE 13.1) a bit more.
    > Two of the things I am thinking about are:
    >
    > - rate-lmiting of traffic to available services (for instance ssh but
    > also apache)


    Code:
    FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

    > - introducing an automated way of updating firewall rules to ward off
    > attackers



    > Regarding number 2, I am not specifically looking for a how-to, just
    > curious if there are people who have implemented such a feature


    Yes.

    > and if
    > so, with what kind of tool?


    Look at fail2ban and denyhosts. The first one is in the OSS repo.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  4. #4
    Join Date
    Dec 2008
    Location
    Between keyboard and chair
    Posts
    96

    Default Re: SuSEfirewall2: two questions

    Thanks for the feedback so far, everyone!
    Unfortunately, it seems I have not explained myself clearly enough with regards to item 2.

    I am aware of tools such as Denyhosts and Fai2ban, in fact, I have Fail2ban running on my server at present. Though I don't use it to modify iptables rules but instead use the tcp wrappers approach. I suppose I could change my configuration.

    The thing is, I was looking for people's experience with SuSEfirewall alternatives, or ways to incorporate dynamic blocklists in iptables rules, like is done with spam blacklists. I've realized now though that fail2ban actually meets most of my desires without replacing the SuSEfirewall. So I guess we can call this "case closed".
    Last edited by joopberis; 04-Apr-2014 at 03:59. Reason: speeling mistakkes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •