Unfortunately I cannot lock my SSH source hosts as they are always
different and I got tired
of constantly blocking at my firewall.
Worked up swatch this config below to modify the host IPTABLES and drop
traffic if root was attempted
or if a non existent user was provided.
For those not familiar with swatch you can get it here:
http://swatch.sourceforge.net/
Make sure you get 3.0.8 because "exec" was not working for me in the
newer versions.
good luck
#start
watchfor /sshd.*: Failed password for root from/
mail=myaddress,subject=Root_Login_Attempt
exec /sbin/iptables -I INPUT -i eth0 -s $11 -d 0/0 -p tcp
--dport 22 -j DROP
watchfor /sshd.*: Illegal user/
mail=myaddress,subject=Illegal_user_attempt
exec /sbin/iptables -I INPUT -i eth0 -s $10 -d 0/0 -p tcp
--dport 22 -j DROP
#end
On Wed, 2004-08-04 at 13:45, Jack Bowling wrote:
On Wed, Aug 04, 2004 at 11:54:03AM -0400, ne... wrote:
> On Aug 4, 2004 at 11:03, Matt Morgan in a soothing rage wrote:
>
> [...]
> >So use hosts.allow instead, and specify the few particular hosts that
> >are allowed to attempt to connect. Everyone else will be summarily
> >rejected. (Firewalling the world is not a bad option, either).
> Does SSH use tcp wrappers on FC? If no, then modifying hosts.allow
> and/or hosts.deny would be futile. If you have less than three
> users connecting to your machine using ssh, I would just add
> those users to the AllowUsers directive, else create a group and
> add the users to it then use the AllowGroups directive.
Yes, FC has tcp wrapper-enabled sshd. Not using the hosts.access files to
add another layer of security is foolhardy, IMO.
--
Jack Bowling
mailto: jbinpg(a)shaw.ca