I’m looking at hardening my SuSEfirewall2 (on openSUSE 13.1) a bit more. Two of the things I am thinking about are:
rate-lmiting of traffic to available services (for instance ssh but also apache)
introducing an automated way of updating firewall rules to ward off attackers
Regarding number 1, I understand that services can drop ready-made configuration files in /etc/sysconfig/SuSEfirewall2.d/services. These contain the necessary ports to open to the outside world, etc. For instance, if you look at the file for the sshd service, this is included:
## Name: Secure Shell Server
## Description: Open ports for Secure Shell Server
# space separated list of allowed TCP ports
TCP="ssh"
Nothing exciting there. I also understand that in these config files, you can include little else but the ports required for the service to function. So say I want to use rate-limiting, how would I go about configuring that, if I can’t use the service file for sshd?
Regarding number 2, I am not specifically looking for a how-to, just curious if there are people who have implemented such a feature and if so, with what kind of tool? I’ve been hearing good things about AFP, in combination with BFD, both from R-fx Networks. However, this would require removing the SuSEfirewall.
I’m very interested in your experiences/thoughts about this.
Haven’t tried this before, but my guess is that you just need to add your
own custom scripts and then call them from something like what is
described here in the /etc/sysconfig/SuSEfirewall2 file:
Code:
Do you want to load customary rules from a file?
This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
In summary, fill in the custom rules file as shown above, and then in that
file you can put whatever extra rules you’d like and I think those “rules”
are basically iptables commands. Should be easy to test/verify. From
there your own code that wants to rate limit things needs to add the
rate-limiting rules into that file, or if that file is treated as a shell
script perhaps have it source files from a directory and then your own
code could drop service-specific rate-limiting files in some directory.
The options seem pretty open, though again, I haven’t tried your scenario.
> Regarding number 2, I am not specifically looking for a how-to, just
> curious if there are people who have implemented such a feature and if
> so, with what kind of tool? I’ve been hearing good things about AFP, in
> combination with BFD, both from ‘R-fx Networks’ (https://www.rfxn.com/).
> However, this would require removing the SuSEfirewall.
I think this is basically what fail2ban is supposed to do. So many
failures happen, and then the system blocks more agressively. Google for
it, or search several other posts in these forums for the same.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
On 2014-04-03 16:06, joopberis wrote:
>
> Hello all,
>
> I’m looking at hardening my SuSEfirewall2 (on openSUSE 13.1) a bit more.
> Two of the things I am thinking about are:
>
> - rate-lmiting of traffic to available services (for instance ssh but
> also apache)
Thanks for the feedback so far, everyone!
Unfortunately, it seems I have not explained myself clearly enough with regards to item 2.
I am aware of tools such as Denyhosts and Fai2ban, in fact, I have Fail2ban running on my server at present. Though I don’t use it to modify iptables rules but instead use the tcp wrappers approach. I suppose I could change my configuration.
The thing is, I was looking for people’s experience with SuSEfirewall alternatives, or ways to incorporate dynamic blocklists in iptables rules, like is done with spam blacklists. I’ve realized now though that fail2ban actually meets most of my desires without replacing the SuSEfirewall. So I guess we can call this “case closed”.