Hello all,
I'm looking at hardening my SuSEfirewall2 (on openSUSE 13.1) a bit more. Two of the things I am thinking about are:
Regarding number 1, I understand that services can drop ready-made configuration files in /etc/sysconfig/SuSEfirewall2.d/services. These contain the necessary ports to open to the outside world, etc. For instance, if you look at the file for the sshd service, this is included:
Nothing exciting there. I also understand that in these config files, you can include little else but the ports required for the service to function. So say I want to use rate-limiting, how would I go about configuring that, if I can't use the service file for sshd?
Regarding number 2, I am not specifically looking for a how-to, just curious if there are people who have implemented such a feature and if so, with what kind of tool? I've been hearing good things about AFP, in combination with BFD, both from R-fx Networks. However, this would require removing the SuSEfirewall.
I'm very interested in your experiences/thoughts about this.
I'm looking at hardening my SuSEfirewall2 (on openSUSE 13.1) a bit more. Two of the things I am thinking about are:
- rate-lmiting of traffic to available services (for instance ssh but also apache)
- introducing an automated way of updating firewall rules to ward off attackers
Regarding number 1, I understand that services can drop ready-made configuration files in /etc/sysconfig/SuSEfirewall2.d/services. These contain the necessary ports to open to the outside world, etc. For instance, if you look at the file for the sshd service, this is included:
Code:
## Name: Secure Shell Server
## Description: Open ports for Secure Shell Server
# space separated list of allowed TCP ports
TCP="ssh"Regarding number 2, I am not specifically looking for a how-to, just curious if there are people who have implemented such a feature and if so, with what kind of tool? I've been hearing good things about AFP, in combination with BFD, both from R-fx Networks. However, this would require removing the SuSEfirewall.
I'm very interested in your experiences/thoughts about this.