Rick Stevens wrote:
I have iptables rules that only allow ssh tries from our networks or
machines I know of. To wit:
# Accept SSH from our networks...
-A INPUT -s aaa.bbb.ccc.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ddd.eee.fff.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
# Accept SSH from my machine at home...
-A INPUT -s ggg.hhh.iii.jjj/32 -p tcp -m tcp --dport 22 -j ACCEPT
(more rules...)
At the end, put in a blanket "don't allow SSH from anywhere else" rule:
# Block any ssh attempts from outside our network...
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
REJECT --reject-with icmp-port-unreachable
I have restricted access to specific IPs only using hosts.deny and
hosts.allow. That does the job for me. And there is a dedicated firewall
sitting between the server and the Web which allows only SSH connections
to come through.
If you must leave ssh open to the outside world, use a simple iptables
ruleset to limit attempts:
*snip*
If more than one ssh attempt is made in 180 seconds (three minutes)
from a given IP address, this blocks that IP address for that duration.
You get one try. If you fail, you must wait 3 minutes before you can
try again.
Note that even a successful login is counted. If you log in and
immediately log out, you still have to wait 3 minutes to get in again.
Change the "--hitcount 2" bits to "--hitcount 3" if you want to give
yourself two tries to get in. You can also change the "--seconds 180"
to "--seconds 300" to make the delay 5 minutes. The values I give above
are enough to discourage most script kiddie attempts to get into your
box.
This is an excellent idea! Thanks a lot.
My original concern, more of a curiosity really, was about the username
NOUSER. I've be getting attempts for root ever since this server went
live. But never for "NOUSER".
--
Regards,
विवेक ज. पाटणकर (Vivek J. Patankar)
Registered Linux User #374218
Fedora release 7 (Moonshine)
Linux 2.6.22.1-33.fc7 x86_64
My USB drives automount! :p
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list