I love IP Tables....

Manuel Arostegui Ramirez manuel at todo-linux.com
Sat May 26 10:39:05 UTC 2007


El Sábado, 26 de Mayo de 2007 12:19, jdow escribió:
> From: "Amadeus W.M." <amadeus84 at verizon.net>
>
> >> People asked - here is the answer:
> >> # Then setup the reject trap
> >> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack
> >> --set $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name
> >> sshattack \
> >>   --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
> >> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> >>   --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
> >>
> >>
> >> Adapt it to your configuration, of course. {^_^}   (I probably should
> >> have included that in the first email for
> >>         politeness. Please 'scuse me.)
> >
> > You do know, that if you run ssh on your pet's birthday port, rather than
> > 22, you will not see any of the crap brute force attacks, don't you?
>
> Yes, but then I've faced enough port scans to realize that security
> through obscurity is horse feathers.
>

I didn't pretend to say that hidding your port would be the KEY of all the ssh 
security :-)
It's just one more barrier to the script-kiddies. From my point of view the 
best way to avoid bruteforce attacks it's only allow public-private key 
authentication.


-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.




More information about the fedora-list mailing list