Just when I thought it might have been over <frown> First, China, then France and now Iran.....
First things first: My SysConfig settings that I ended up with from the first thread that actually got into IPTABLES Sysconfig settings:FW_SERVICES_ACCEPT_EXT 0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=badssh Next the output from 'iptables -L |less' showing that the 'recent' feature of iptables *is* implemented (this is in all of my machines which are either 10.2 or 10.3A5 SUSE) LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 120 hit_count: 3 name: badssh side: source LOG level warning tcp-options ip-options prefix `SFW2-INext-DROPr ' DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 120 hit_count: 3 TTL-Match name: badssh side: source LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: badssh side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh A few hours after this 'protection' was installed, IRAN knocked with an hour or so of multiiple machine probing.... Log entries with this in place: Jul 17 22:09:54 ASUS sshd[18491]: Invalid user pgsql from 217.11.27.19 Jul 17 22:09:59 ASUS sshd[18495]: Invalid user adm from 217.11.27.19 Jul 17 22:10:02 ASUS sshd[18497]: Invalid user ident from 217.11.27.19 Jul 17 22:10:04 ASUS sshd[18499]: Invalid user webpop from 217.11.27.19 Jul 17 22:10:07 ASUS sshd[18501]: Invalid user susan from 217.11.27.19 Jul 17 22:10:09 ASUS sshd[18503]: Invalid user sunny from 217.11.27.19 Jul 17 22:10:12 ASUS sshd[18505]: Invalid user steven from 217.11.27.19 Jul 17 22:10:15 ASUS sshd[18507]: Invalid user ssh from 217.11.27.19 Jul 17 22:10:17 ASUS sshd[18509]: Invalid user search from 217.11.27.19 Jul 17 22:10:20 ASUS sshd[18511]: Invalid user sara from 217.11.27.19 Jul 17 22:10:22 ASUS sshd[18513]: Invalid user robert from 217.11.27.19 whois 217.11.27.19 % Information related to '217.11.27.0 - 217.11.27.127' inetnum: 217.11.27.0 - 217.11.27.127 netname: Shahrdari descr: Wireless Link country: IR admin-c: CUS200-RIPE tech-c: CUS200-RIPE status: ASSIGNED PA mnt-by: AFRA-MNT-NESH-1 mnt-lower: AFRA-MNT-NESH-1 mnt-routes: AFRA-MNT-NESH-1 source: RIPE # Filtered person: Afra Customer address: No. 20 . , Beheshti Ave. , Tehran, Iran I managed to turn on WIRESHARK ... a newer invocation of ETHEREAL and captured a portion of the interaction between my 10.3a5 machine and my "guest". Of interest to me was the fact that the incoming SRC port kept changing from time to time...this exerpt starts with a reply from me to them from port 22 to port 38381 in answer to a previous frame....my machine name is ASUS in this exchange and his apparently reverse lookups to NETOPIA despite the whois info above for the IP provided by the header info. Exerpt from Wireshark showing port changes during this time: Frame 20 (134 bytes on wire, 134 bytes captured) Ethernet II, Src: 00:1a:92:b9:c3:21 (00:1a:92:b9:c3:21), Dst: Netopia_54:7e:0c (00:0f:cc:54:7e:0c) Internet Protocol, Src: ASUS.ricreig.com (70.46.31.229), Dst: 217.11.27.19 (217.11.27.19) Transmission Control Protocol, Src Port: ssh (22), Dst Port: 38381 (38381), Seq: 1281, Ack: 469, Len: 68 SSH Protocol No. Time Source Destination Protocol Info 21 2.609922 217.11.27.19 ASUS.ricreig.com SSHv2 Encrypted request packet len=52 Frame 21 (118 bytes on wire, 118 bytes captured) Ethernet II, Src: Netopia_54:7e:0c (00:0f:cc:54:7e:0c), Dst: 00:1a:92:b9:c3:21 (00:1a:92:b9:c3:21) Internet Protocol, Src: 217.11.27.19 (217.11.27.19), Dst: ASUS.ricreig.com (70.46.31.229) Transmission Control Protocol, Src Port: 38381 (38381), Dst Port: ssh (22), Seq: 469, Ack: 1349, Len: 52 SSH Protocol No. Time Source Destination Protocol Info 22 2.610377 217.11.27.19 ASUS.ricreig.com TCP 38381 > ssh [FIN, ACK] Seq=521 Ack=1349 Win=8816 Len=0 TSV=3091501397 TSER=89777291 Frame 22 (66 bytes on wire, 66 bytes captured) Ethernet II, Src: Netopia_54:7e:0c (00:0f:cc:54:7e:0c), Dst: 00:1a:92:b9:c3:21 (00:1a:92:b9:c3:21) Internet Protocol, Src: 217.11.27.19 (217.11.27.19), Dst: ASUS.ricreig.com (70.46.31.229) Transmission Control Protocol, Src Port: 38381 (38381), Dst Port: ssh (22), Seq: 521, Ack: 1349, Len: 0 No. Time Source Destination Protocol Info 23 2.610526 ASUS.ricreig.com 217.11.27.19 TCP ssh > 38381 [FIN, ACK] Seq=1349 Ack=522 Win=7936 Len=0 TSV=89777367 TSER=3091501397 Frame 23 (66 bytes on wire, 66 bytes captured) Ethernet II, Src: 00:1a:92:b9:c3:21 (00:1a:92:b9:c3:21), Dst: Netopia_54:7e:0c (00:0f:cc:54:7e:0c) Internet Protocol, Src: ASUS.ricreig.com (70.46.31.229), Dst: 217.11.27.19 (217.11.27.19) Transmission Control Protocol, Src Port: ssh (22), Dst Port: 38381 (38381), Seq: 1349, Ack: 522, Len: 0 No. Time Source Destination Protocol Info 24 2.611140 217.11.27.19 ASUS.ricreig.com TCP 38484 > ssh [SYN] Seq=0 Len=0 MSS=1408 TSV=3091501397 TSER=0 WS=2 Frame 24 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: Netopia_54:7e:0c (00:0f:cc:54:7e:0c), Dst: 00:1a:92:b9:c3:21 (00:1a:92:b9:c3:21) Internet Protocol, Src: 217.11.27.19 (217.11.27.19), Dst: ASUS.ricreig.com (70.46.31.229) Transmission Control Protocol, Src Port: 38484 (38484), Dst Port: ssh (22), Seq: 0, Len: 0 No. Time Source Destination Protocol Info 25 2.611234 ASUS.ricreig.com 217.11.27.19 TCP ssh > 38484 [SYN, ACK] Seq=0 Ack=1 Win=741376 Len=0 MSS=1460 TSV=89777367 TSER=3091501397 WS=7 Frame 25 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: 00:1a:92:b9:c3:21 (00:1a:92:b9:c3:21), Dst: Netopia_54:7e:0c (00:0f:cc:54:7e:0c) Internet Protocol, Src: ASUS.ricreig.com (70.46.31.229), Dst: 217.11.27.19 (217.11.27.19) Transmission Control Protocol, Src Port: ssh (22), Dst Port: 38484 (38484), Seq: 0, Ack: 1, Len: 0 No. Time Source Destination Protocol Info 26 2.911702 217.11.27.19 ASUS.ricreig.com TCP 38381 > ssh [ACK] Seq=522 Ack=1350 Win=8816 Len=0 TSV=3091501699 TSER=89777367 Frame 26 (66 bytes on wire, 66 bytes captured) Ethernet II, Src: Netopia_54:7e:0c (00:0f:cc:54:7e:0c), Dst: 00:1a:92:b9:c3:21 (00:1a:92:b9:c3:21) Internet Protocol, Src: 217.11.27.19 (217.11.27.19), Dst: ASUS.ricreig.com (70.46.31.229) Transmission Control Protocol, Src Port: 38381 (38381), Dst Port: ssh (22), Seq: 522, Ack: 1350, Len: 0 So, Something isn't working still...on multiple machines despite the 'recent' function in IPTABLES on stable and alpha versions of SUSE and the firewall isn't apparently stopping the attack because the log entry suggests the SSHD is logging the attack, not the firewall. I'll be honest, I am out of my league when it comes to this type of a problem and I appreciate any help you guys and gals can provide. I also appreciate all of the help that has already been provided. I know I am not the only one with this problem so if success does show its' ugly face around here, I'm sure a lot of hackers around the world will be disappointed because I will spread the word to all of you that care to listen. Richard -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]