question about ssh
Ed Wilts
ewilts at ewilts.org
Fri Dec 31 15:28:16 UTC 2004
On Thu, Dec 30, 2004 at 10:34:36PM -0700, James McKenzie wrote:
> Ed Wilts wrote:
> >On Thu, Dec 30, 2004 at 09:19:35PM +0800, chi wrote:
>
> >My recommended approach would be to block *all* incoming connections to
> >sshd via either /etc/hosts.deny or via iptables. Then, add only those
> >hosts or subnets who you know need incoming access. In my case, I allow
> >incoming access from my office subnet and from a trusted colleague but
> >everybody else is blocked.
>
> Example iptables lines please?
I personally don't use iptables - I prefer to do it via tcpwrappers
since it's so trivial to manage. I've masked the output below slightly
(I don't work for trusted.com, whoever they are) but you should get the
drift.
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# from %h %a to %d at `date`|tee -a /var/log/secure|mail root
ALL: ALL: spawn echo tcpwrap has detected an unauthorised connection attempt\
from %h %a to %d at `date`|tee -a /var/log/secure|mail -s 'Unauthorized \
Connection attempt' root
-----------------------------
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: LOCAL, .ewilts.org, 192.168.0.0/255.255.255.0,127.0.0.1,.trusted.com,
sendmail: ALL
smtps: ALL
> I think the idea of using port 2222 is a better one.
A port scanner will find you. Security by obscurity won't help you in
the long run. The script kiddies will just add 2222 to their list of
ports to check.
--
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program
More information about the fedora-list
mailing list