On Thu, 28 Apr 2005, Roger Grosswiler wrote:
We have a nice tool called system-config-securitylevel, why isn't
it possible to indicate some ips or ranges there an click to
"stealth" so, this port is just visible to the indicated
ip-adresses??
Usually with ssh you want it generally accessible. The 'recent'
module is useful though, to slow-down brute force attacks:
# grep ssh-scan /etc/sysconfig/iptables
:ssh-scan - [0:0]
-A infilter -j ssh-scan
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j LOG --log-prefix "SSH Scan: "
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP
(as seen on Debian Planet).
The hitcount parameter probably should be reduced to 3 to 5 though
(I use 8 to filter ssh to a whole subnet).
regards,
--
Paul Jakma paul@xxxxxxxx paul@xxxxxxxxx Key ID: 64A2FF6A
Fortune:
You will lose an important tape file.