Addendum - turn off any other firewall to use the one I just posted.
{^_^}
On 2017-06-29 18:24, Doug wrote:
On 06/29/2017 08:10 PM, jdow wrote:
A rule like this makes cracking your 123456 password a whole lot harder
without changing anything else.
iptables -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent
--name pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix
'SSH2 REJECT: ' --log-level info
The magic is in "-m recent --rcheck --seconds 90 --hitcount 2". That means any
given site gets one chance to login before facing a 90 second blockage. If
they have to guess "AZBYCXDW" as a password you can imagine how long you have
to catch him in your log and explicitly block his whole subnet.
{^_-}
Hi, Joanne--
I tried to write this command to a root console in PCLInuxOS, but it got rejected.
[root@linux1 doug]# iptables -t filter -A IN_public_deny -p tcp --dport pop3s
--syn -m recent --name pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG
--log-prefix 'SSH2 REJECT: ' --log-level info
iptables: No chain/target/match by that name
Obviously I'm doing something wrong. Do I need some file installed first?
If so, what file? Can you help me, please?
--doug
On 2017-06-29 16:06, Samuel Sieb wrote:
On 06/29/2017 03:28 PM, William Mattison wrote:
While looking at journalctl output yesterday and today for other reasons
(separate thread), I saw many "authentication failure" messages, over half
also saying "user=root". I also saw many "password check failed for user
(root)" messages. I saw many unknown user login attempts, and a few invalid
user login attempts, and some attempts using one of the valid regular user
names. Why? I am not yet good at reading journalctl output, so I don't know
if these connection attempts are coming from "outside" or within this
system. I don't know if I should be concerned or not. I do not intend
anyone or anything to be able to get in to this system except for things
that I initiate (examples: Firefox activity, Thunderbird activity, "dnf
upgrade", installs, etc.). And it doesn't make sense to me that any of
those would be trying to log in to this system to do what I want. I also
don't see why anything on this system would try to log in to this same
system except me personally (su, sudo, and
actual logins). I am the only actual user.
What's going on? How do I determine where they're coming from? Is there
really someone or something trying to hack in? If no, what really is going on?
Assuming that your computer is directly connected to the internet, then yes,
that is someone trying to brute force your root (or other user) password.
That is completely "normal". There should be an IP address logged either on
the same line or nearby of the computer that's connecting.
Most important,
How do I prevent connections from outside?
If you have no intention of remotely logging in to your computer, then use
the firewall configuration tool to block the ssh port as well. By default,
it leaves that one open. On the system I have a password for logging in, I
have a firewall rule that limits ssh connections to one per minute for each
address connecting. That drastically reduces the brute force attempts. On
most other systems I use keys only, so I don't even bother limiting those ones.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
