Re: Unable to ssh nodes with global IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 24.10.2011 18:12, schrieb Tim:
> On Sun, 2011-10-23 at 12:12 +0200, Reindl Harald wrote:
>> put sshd on port 10022 and all is well
>>  
>> this has the additional benefit to get rid of the most
>> idiots trying password-attacks all day long
> 
> Though it won't stop the more determined ones.  Like those who scan for
> all open ports, and then look at what responses they get to determine
> what sort of server is listening.
> 
> If you have a (potentially) vulnerable server exposed, using something
> like fail2ban (if I remembered the name correctly) can be a good idea.
> It allows a limited number of attempts from an IP, then temporarily
> blacklists that IP.  A hacker would have to have tremendous luck to
> guess a password in only two attempts, for instance.

i know this all but it is not in standard-nmap and so
you have not the whole day the logfiles full and the
overhead for non-standard-port is practically non-existent

NOBODY should allow password-login on sshd, never and we do not

additionally:
iptables -A INPUT -p tcp --sport 1024:65535 -m state --syn --state NEW --dport YOURPORT -m limit --limit 60/minute
--limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m state --syn --state NEW --dport YOURPORT -j REJECT
___________

for portscans allow only 120 connections from the same ip per second
makes it really hard do a full port-scan because it longs forever and
aditionally webservers are proctected against a single dos-attack

try it with "ab -c 20 -n 100000 http://yourhost/"; and you will see htop
shortly with 100% cpu and falling down to normal values in waves

iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 120 -j DROP
___________

as you see security is never one setting and it is done and obscurity as
additional prevention is good and no overhead if someone knows to handle
his machines

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux