Subject: | |
From: | |
Reply To: | |
Date: | Fri, 30 Dec 2011 05:22:02 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 2011/12/30 00:14, MT Julianto wrote:
> On 27 December 2011 21:02, jdow <[log in to unmask] <mailto:[log in to unmask]>>
> wrote:
>
> If the server is not busy that might be an interesting way to keep
> hackers out of the machine. It would also make my log files smaller.
>
>
> Indeed, I found some traces of intruder trying to get root access via ssh, but
> none is succeeded. Now, I use fail2ban (available at atrpms) to handle them.
>
> -Tito.
I find zero to five tries a day. For some strange reason every try is from a
different address.
I have my own iptables script with lines like these in it:
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
--log-level info
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
The -m recent, -seconds 60, and --hitcount 2 phrases are the magic. Much of
that is so that I get the rejects logged, thanks to my sick curoisity.
This allows me to typo the password. All I have to do is wait a couple minutes
between tries (Not all the portable hardware has a good enough ssh
implementation I can eschew passwords.) I also use this for pop3s and imaps,
neither of which have been attacked, yet. That's a little easier than trying
to tunnel pop3 or imap through ssh.
{^_^}
|
|
|