Re: [lvs-users] keepalived: SSH getting "No route to host"

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] keepalived: SSH getting "No route to host"
From: Gerry Reno <greno@xxxxxxxxxxx>
Date: Fri, 21 Sep 2007 22:46:12 -0400
Gerry Reno wrote:
> My SSH Highport solution has been working well (see last post), so now I 
> need to setup some firewall rules for rate-limiting so that I can expose 
> the port to the internet and not permit huge dictionary attacks against 
> the port. So I setup some iptables rules and ... it doesn't work. I 
> found a bunch of examples of doing this and I followed them very closely 
> but no luck. So I'm wondering if there is something about using the 
> directors that is causing problems with these rules.
> On the directors here's what I have:
> # iptables -L -n --line-numbers
> ...
> Chain RH-Firewall-1-INPUT (1 references)
> ...
> 16 tcp -- state NEW tcp dpt:33322 recent: SET name: 
> DEFAULT side: source
> 17 DROP tcp -- state NEW tcp dpt:33322 recent: 
> UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source
> 18 ACCEPT tcp -- state NEW tcp dpt:33322
> 19 REJECT 0 -- reject-with icmp-host-prohibited
After much testing what I found was that for whatever reason the 
rate-limiting firewall rules for port 33322 do not work when installed 
on the directors. So what I did was to put the rules on the realservers 
(which I was trying to avoid) for port 22. This works because the 
realservers map 33322 to 22. The best solution would be to get these 
rules working on the directors. But for now there is the realserver 
solution. I'll sleep a lot better knowing that no one can mount a 
high-speed dictionary attack on the exposed port. I've also set a very 
restricted set of allowed ssh users for that port to prevent default 
password attacks on well-known user accounts.


<Prev in Thread] Current Thread [Next in Thread>