Re: Stealthing Ports in system-config-securitylevel was: SSH brute force attack

[Paul Jakma <paul dishone st>]

On Thu, 28 Apr 2005, Roger Grosswiler wrote:

> We have a nice tool called system-config-securitylevel, why isn't 
> it possible to indicate some ips or ranges there an click to 
> "stealth" so, this port is just visible to the indicated 
> ip-adresses??

Usually with ssh you want it generally accessible. The 'recent' 
module is useful though, to slow-down brute force attacks:

# grep ssh-scan /etc/sysconfig/iptables
:ssh-scan - [0:0]
-A infilter -j ssh-scan
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j LOG --log-prefix "SSH Scan: "
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP

(as seen on Debian Planet).

The hitcount parameter probably should be reduced to 3 to 5 though 
(I use 8 to filter ssh to a whole subnet).

regards,
--
Paul Jakma	paul clubi ie	paul jakma org	Key ID: 64A2FF6A
Fortune:
You will lose an important tape file.