Re: NOUSER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Vivek J. Patankar wrote:
Rick Stevens wrote:
I have iptables rules that only allow ssh tries from our networks or
machines I know of.  To wit:

# Accept SSH from our networks...
-A INPUT -s aaa.bbb.ccc.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ddd.eee.fff.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
# Accept SSH from my machine at home...
-A INPUT -s ggg.hhh.iii.jjj/32 -p tcp -m tcp --dport 22 -j ACCEPT
(more rules...)

At the end, put in a blanket "don't allow SSH from anywhere else" rule:

# Block any ssh attempts from outside our network...
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
REJECT --reject-with icmp-port-unreachable

I have restricted access to specific IPs only using hosts.deny and hosts.allow. That does the job for me. And there is a dedicated firewall sitting between the server and the Web which allows only SSH connections to come through.


If you must leave ssh open to the outside world, use a simple iptables
ruleset to limit attempts:
*snip*
If more than one ssh attempt is made in 180 seconds (three minutes)
from a given IP address, this blocks that IP address for that duration.
You get one try.  If you fail, you must wait 3 minutes before you can
try again.

Note that even a successful login is counted.  If you log in and
immediately log out, you still have to wait 3 minutes to get in again.

Change the "--hitcount 2" bits to "--hitcount 3" if you want to give
yourself two tries to get in.  You can also change the "--seconds 180"
to "--seconds 300" to make the delay 5 minutes.  The values I give above
are enough to discourage most script kiddie attempts to get into your
box.

This is an excellent idea! Thanks a lot.

yum info fail2ban
yum install fail2ban

The fail2ban package dynamically blocks/unblocks IP addresses based on password failures...

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux