On 2011/12/30 00:14, MT Julianto wrote:
> On 27 December 2011 21:02, jdow <[log in to unmask] <mailto:[log in to unmask]>>
> wrote:
>
>     If the server is not busy that might be an interesting way to keep
>     hackers out of the machine. It would also make my log files smaller.
>
>
> Indeed, I found some traces of intruder trying to get root access via ssh, but
> none is succeeded.  Now, I use fail2ban (available at atrpms) to handle them.
>
> -Tito.

I find zero to five tries a day. For some strange reason every try is from a
different address.

I have my own iptables script with lines like these in it:
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
   --rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
   --log-level info
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
   --rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset


The -m recent, -seconds 60, and --hitcount 2 phrases are the magic. Much of
that is so that I get the rejects logged, thanks to my sick curoisity.

This allows me to typo the password. All I have to do is wait a couple minutes
between tries (Not all the portable hardware has a good enough ssh
implementation I can eschew passwords.) I also use this for pop3s and imaps,
neither of which have been attacked, yet. That's a little easier than trying
to tunnel pop3 or imap through ssh.

{^_^}