Re: Passing password in ssh

["Mark Haney" <mhaney@xxxxxxxxxxxxxxxx>]

John Summerfield wrote:
> Aldo Foot wrote:
>
> > I have a couple of questions:
> >
> > 1. If you use the connection/hour limit scheme does it mean you don't
> >     use tcpwrappers and you only rely on user/password for authorization?
>
> tcpwrappers doesn't do anything I need that I can't also do with netfilter.
> > 2. Is this what you use to configure five ssh connections per hour?
> >     #tcplimit 22 5 hour on
> ?? I don't ken that.
> from iptables-save:
>
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit 
> --limit 5/hour -j LOG --log-
> prefix "SSH connexion "
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit 
> --limit 5/hour -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j LOG --log-prefix "SSH 
> connexion attack dropped "
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
>
>
> Here's a logwatch summary:
> Dropped 293 packets on interface eth0
>   From 89.149.217.67 - 5 packets to tcp(22)
>   From 116.38.112.245 - 4 packets to tcp(22)
>   From 124.128.250.178 - 26 packets to tcp(22)
>   From 128.135.130.42 - 1 packet to tcp(22)
>   From 202.106.62.148 - 42 packets to tcp(22)
>   From 203.94.8.149 - 28 packets to tcp(22)
>   From 203.153.36.4 - 25 packets to tcp(22)
>   From 203.174.48.70 - 28 packets to tcp(22)
>   From 210.212.249.165 - 1 packet to tcp(22)
>   From 219.239.218.162 - 27 packets to tcp(22)
>   From 220.177.248.174 - 28 packets to tcp(22)
>   From 221.13.10.139 - 78 packets to tcp(22)
>
> Logged 27 packets on interface eth0
>   From 89.149.217.67 - 2 packets to tcp(22)
>   From 116.38.112.245 - 2 packets to tcp(22)
>   From 124.128.250.178 - 2 packets to tcp(22)
>   From 128.135.130.42 - 1 packet to tcp(22)
>   From 202.106.62.148 - 3 packets to tcp(22)
>   From 203.94.8.149 - 2 packets to tcp(22)
>   From 203.153.36.4 - 2 packets to tcp(22)
>   From 203.174.48.70 - 2 packets to tcp(22)
>   From 219.239.218.162 - 2 packets to tcp(22)
>   From 220.177.248.174 - 2 packets to tcp(22)
>   From 221.13.10.139 - 7 packets to tcp(22)
>
> I am more liberal with connexions from locations I may visit; I don't 
> rate-limit or log.
>
> It would take some time or improbable luck for someone to crack a 
> password, even a weak one, at the rate of attempts I see.
>
> Note too that this is my second access control; I run shorewall on the 
> Internet gateway, and that blocks great gobs of people who've offended 
> me. Mostly, when folk get past my antispam I do a whois search and block 
>  _at_ least a /24 network, sometimes a /13. Those, I block smtp, imap 
> (we don't run pop) and ssh.

OSSEC can do that same thing for you automatically based on IP address 
of the attacker as well.


--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list