hardening SSH
Michael Klinosky
mpk2 at enter.net
Sat Aug 18 02:55:20 UTC 2007
Rick:
> If you only want to allow incoming ssh sessions from that address
> block, use iptables and insert a rule:
> -A INPUT -p tcp -m tcp -s 200.100.0.0/16 --sync --dport 22 -j ACCEPT
> and make sure the last rule is something like:
> -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
> to drop any other connection attempts other than the ones allowed above
> it.
How does this differ from the hosts.allow & hosts.deny method?
Justin:
> If you would be able to tell us which ISP you have, you may be able to
> narrow down the address range even more.
I know about whois.org - so I tried it. I had to delve a bit to get the
detailed info, but found the range. There is a CIDR - is that what I
want? It's narrowed down to /21.
More information about the users
mailing list