I love IP Tables....
Manuel Arostegui Ramirez
manuel at todo-linux.com
Sat May 26 10:39:05 UTC 2007
El Sábado, 26 de Mayo de 2007 12:19, jdow escribió:
> From: "Amadeus W.M." <amadeus84 at verizon.net>
>
> >> People asked - here is the answer:
> >> # Then setup the reject trap
> >> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack
> >> --set $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name
> >> sshattack \
> >> --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
> >> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> >> --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
> >>
> >>
> >> Adapt it to your configuration, of course. {^_^} (I probably should
> >> have included that in the first email for
> >> politeness. Please 'scuse me.)
> >
> > You do know, that if you run ssh on your pet's birthday port, rather than
> > 22, you will not see any of the crap brute force attacks, don't you?
>
> Yes, but then I've faced enough port scans to realize that security
> through obscurity is horse feathers.
>
I didn't pretend to say that hidding your port would be the KEY of all the ssh
security :-)
It's just one more barrier to the script-kiddies. From my point of view the
best way to avoid bruteforce attacks it's only allow public-private key
authentication.
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the users
mailing list