Re: Is there an openssh security problem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Coert Waagmeester wrote:
On Thu, 2009-07-09 at 15:18 -0700, Bill Campbell wrote:
This appeared today on Macworld, an article saying this is
probably a hoax:

http://www.macworld.com/article/141628/2009/07/openssh_securityhoax.html?lsrc=rss_main

Bill

In my iptables setup I have the following rule: (excuse the ugly line
breaks)

/sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \
--dport 22 -m state -m recent --state NEW --update --seconds 15 -j \
DROPLOG

/sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \
--dport 22 -m state -m recent --state NEW --set -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \
--dport 22 -m state --state ESTABLISHED --state RELATED -j ACCEPT

it only allows one NEW connection to ssh per minute.

That is also a good protection right?


Regards,
Coert

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
Not really protection - rather a deterrent - it just makes it slower for the script kiddies that try brute force attacks - they have to pace themselves to one try per minute rather than one or two per second. Thus they normally move on to an easier target. You can also use iptables to allow say four attempts from an IP and then block for 5 or more minutes - this is what I use.
HTH
Rob
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
email;internet:rkampen@xxxxxxxxxxxxxxxxx
tel;work:407-896-9556 x6344
tel;fax:407-896-7607
tel;home:407-876-4854
tel;cell:407-341-3815
version:2.1
end:vcard

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux