On 06/29/2017 08:10 PM, jdow wrote:
A rule like this makes cracking your 123456 password a whole lot
harder without changing anything else.
iptables -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m
recent --name pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG
--log-prefix 'SSH2 REJECT: ' --log-level info
The magic is in "-m recent --rcheck --seconds 90 --hitcount 2". That
means any given site gets one chance to login before facing a 90
second blockage. If they have to guess "AZBYCXDW" as a password you
can imagine how long you have to catch him in your log and explicitly
block his whole subnet.
{^_-}
Hi, Joanne--
I tried to write this command to a root console in PCLInuxOS, but it got
rejected.
[root@linux1 doug]# iptables -t filter -A IN_public_deny -p tcp --dport
pop3s --syn -m recent --name pop3s_attack --rcheck --seconds 90
--hitcount 2 -j LOG --log-prefix 'SSH2 REJECT: ' --log-level info
iptables: No chain/target/match by that name
Obviously I'm doing something wrong. Do I need some file installed first?
If so, what file? Can you help me, please?
--doug
On 2017-06-29 16:06, Samuel Sieb wrote:
On 06/29/2017 03:28 PM, William Mattison wrote:
While looking at journalctl output yesterday and today for other
reasons (separate thread), I saw many "authentication failure"
messages, over half also saying "user=root". I also saw many
"password check failed for user (root)" messages. I saw many
unknown user login attempts, and a few invalid user login attempts,
and some attempts using one of the valid regular user names. Why?
I am not yet good at reading journalctl output, so I don't know if
these connection attempts are coming from "outside" or within this
system. I don't know if I should be concerned or not. I do not
intend anyone or anything to be able to get in to this system except
for things that I initiate (examples: Firefox activity, Thunderbird
activity, "dnf upgrade", installs, etc.). And it doesn't make sense
to me that any of those would be trying to log in to this system to
do what I want. I also don't see why anything on this system would
try to log in to this same system except me personally (su, sudo, and
actual logins). I am the only actual user.
What's going on? How do I determine where they're coming from? Is
there really someone or something trying to hack in? If no, what
really is going on?
Assuming that your computer is directly connected to the internet,
then yes, that is someone trying to brute force your root (or other
user) password. That is completely "normal". There should be an IP
address logged either on the same line or nearby of the computer
that's connecting.
Most important,
How do I prevent connections from outside?
If you have no intention of remotely logging in to your computer,
then use the firewall configuration tool to block the ssh port as
well. By default, it leaves that one open. On the system I have a
password for logging in, I have a firewall rule that limits ssh
connections to one per minute for each address connecting. That
drastically reduces the brute force attempts. On most other systems I
use keys only, so I don't even bother limiting those ones.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
