Unable to ssh nodes with global IP
Reindl Harald
h.reindl at thelounge.net
Mon Oct 24 16:31:23 UTC 2011
Am 24.10.2011 18:12, schrieb Tim:
> On Sun, 2011-10-23 at 12:12 +0200, Reindl Harald wrote:
>> put sshd on port 10022 and all is well
>>
>> this has the additional benefit to get rid of the most
>> idiots trying password-attacks all day long
>
> Though it won't stop the more determined ones. Like those who scan for
> all open ports, and then look at what responses they get to determine
> what sort of server is listening.
>
> If you have a (potentially) vulnerable server exposed, using something
> like fail2ban (if I remembered the name correctly) can be a good idea.
> It allows a limited number of attempts from an IP, then temporarily
> blacklists that IP. A hacker would have to have tremendous luck to
> guess a password in only two attempts, for instance.
i know this all but it is not in standard-nmap and so
you have not the whole day the logfiles full and the
overhead for non-standard-port is practically non-existent
NOBODY should allow password-login on sshd, never and we do not
additionally:
iptables -A INPUT -p tcp --sport 1024:65535 -m state --syn --state NEW --dport YOURPORT -m limit --limit 60/minute
--limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m state --syn --state NEW --dport YOURPORT -j REJECT
___________
for portscans allow only 120 connections from the same ip per second
makes it really hard do a full port-scan because it longs forever and
aditionally webservers are proctected against a single dos-attack
try it with "ab -c 20 -n 100000 http://yourhost/" and you will see htop
shortly with 100% cpu and falling down to normal values in waves
iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 120 -j DROP
___________
as you see security is never one setting and it is done and obscurity as
additional prevention is good and no overhead if someone knows to handle
his machines
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20111024/217f715a/attachment.bin
More information about the users
mailing list