Dan Langille wrote:
We are far away from the original topic. A new thread begins.
On 16 Apr 2006 at 18:34, Martin Hicks wrote:
On Sat, Apr 15, 2006 at 12:42:15PM -0400, sberaud wrote:
Adding the drop rule was made easy with Webmin, once I knew what I had
to do.
Okay, so here's what I do. I use ipt_recent, which allows you to do
<something> if someone tries to connect to you at a fairly high rate.
This stops the brute force ssh attacks in their tracks.
# Rate limit SSH -- avoid dictionary attacks
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
--set
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j LOG
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
The suggestions by Martin are what I dreamed of doing, but was way
beyond me. With red face, I should have been more clear. I found out how
to add a drop rule to Shorewall, not IPChains. I have no idea how to do
something this complex with Shorewall (vintage 2003), and ipchains has
not been a successful endeavor for me in the past. It is time to learn I
suppose, because I need to do this for MySQL as well.
I would recommend moving sshd to listen on another higher, random
port. e.g. 12345.
I noticed all the attacks were trying random ports in the upper range. I
am curious about the upper ports. Why are they more secure than the
lower ones?
Also, make use of the ssh config file to limit incoming connections
to known IP addresses.
Under normal conditions I usually have SSH firewalled away from the
world, this seems to be a good extra layer of security.
And best of all, require the use of sshe keys to login, not
passwords.
This is a very good idea.
There is always more to learn. ;)
Thanks
Scy