NOUSER

[Don Russell]

Vivek J. Patankar wrote:
> Rick Stevens wrote:
>> I have iptables rules that only allow ssh tries from our networks or
>> machines I know of.  To wit:
>>
>> # Accept SSH from our networks...
>> -A INPUT -s aaa.bbb.ccc.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
>> -A INPUT -s ddd.eee.fff.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
>> # Accept SSH from my machine at home...
>> -A INPUT -s ggg.hhh.iii.jjj/32 -p tcp -m tcp --dport 22 -j ACCEPT
>> (more rules...)
>>
>> At the end, put in a blanket "don't allow SSH from anywhere else" rule:
>>
>> # Block any ssh attempts from outside our network...
>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
>> REJECT --reject-with icmp-port-unreachable
>
> I have restricted access to specific IPs only using hosts.deny and 
> hosts.allow. That does the job for me. And there is a dedicated 
> firewall sitting between the server and the Web which allows only SSH 
> connections to come through.
>
>
>> If you must leave ssh open to the outside world, use a simple iptables
>> ruleset to limit attempts:
> *snip*
>> If more than one ssh attempt is made in 180 seconds (three minutes)
>> from a given IP address, this blocks that IP address for that duration.
>> You get one try.  If you fail, you must wait 3 minutes before you can
>> try again.
>>
>> Note that even a successful login is counted.  If you log in and
>> immediately log out, you still have to wait 3 minutes to get in again.
>>
>> Change the "--hitcount 2" bits to "--hitcount 3" if you want to give
>> yourself two tries to get in.  You can also change the "--seconds 180"
>> to "--seconds 300" to make the delay 5 minutes.  The values I give above
>> are enough to discourage most script kiddie attempts to get into your
>> box.
>
> This is an excellent idea! Thanks a lot.

yum info fail2ban
yum install fail2ban

The fail2ban package dynamically blocks/unblocks IP addresses based on 
password failures...