Port knocking script/server for fedora?
ignored_mailbox at yahoo.com.au
Wed Nov 19 13:39:25 UTC 2014
On Wed, 2014-11-19 at 11:58 +0000, Patrick O'Callaghan wrote:
> If the main concern is ssh hacking, you might consider denyhosts (yum
> install denyhosts). It's easy to set up and seems to be effective. The
> logs make fascinating (and scary) reading.
To my mind, something like this ought to be part of the SSHD
configuration - a configurable quota of allowed connection attempts to
the daemon within a certain time period from the same source. Notch up
say, three failed logins, and you can't login from that address for an
hour. And not require some external thing to protect it.
Likewise, I think that sort of thing (configurable quota filter) should
be a standard part of the firewall that you already have, where you can
apply a simple connection limiter to particular ports of your choosing
(SSH, HTTP, etc). Naturally, to avoid accidental denial of services, a
firewall needs to be able to differentiate between multiple okay
connections (e.g. browsing a webserver) and multiple not-okay
connections (e.g. not accepted SSH login attempts), not just dumbly
throttle so-many connections per minute. And, theoretically, that
shouldn't be impossible (using lack of response, or particular denial
responses from known services being a trigger it can use).
Of course a hack attempt could be made from a plethora of addresses, to
try and get past that type of entry guard, but each one should fail and
get ignored. You need a really good passphrase, and hopefully a paired
certificate, to stand against any external hack attempt, that's the real
defense. The statistics of guessing a good passphrase should be
astronomical. You don't know how many letters and/or numbers that I've
used, whether it's a real word, or several words. Nor do you know if my
password is the same now, as it was two days ago, or three minutes ago.
Your previous discarded attempts maybe shouldn't be discarded, but tried
several times. So to guess the actual one you've got nothing to work
with. To put that another way, how well can *you* pick all the winning
numbers in a lottery? And would anyone be able to win it if we didn't
know how many numbers to pick, nor within what range?
tim at localhost ~]$ uname -rsvp
Linux 3.17.2-200.fc20.i686 #1 SMP Tue Nov 4 18:28:00 UTC 2014 i686
All mail to my mailbox is automatically deleted, there is no point trying
to privately email me, I will only read messages posted to the public lists.
George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.
More information about the users