NOUSER

Rick Stevens rstevens at internap.com
Wed Aug 8 00:30:27 UTC 2007


On Wed, 2007-08-08 at 02:50 +0530, Vivek J. Patankar wrote:
> Rick Stevens wrote:
> > I have iptables rules that only allow ssh tries from our networks or
> > machines I know of.  To wit:
> > 
> > # Accept SSH from our networks...
> > -A INPUT -s aaa.bbb.ccc.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
> > -A INPUT -s ddd.eee.fff.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
> > # Accept SSH from my machine at home...
> > -A INPUT -s ggg.hhh.iii.jjj/32 -p tcp -m tcp --dport 22 -j ACCEPT
> > (more rules...)
> > 
> > At the end, put in a blanket "don't allow SSH from anywhere else" rule:
> > 
> > # Block any ssh attempts from outside our network...
> > -A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
> > REJECT --reject-with icmp-port-unreachable
> 
> I have restricted access to specific IPs only using hosts.deny and 
> hosts.allow. That does the job for me. And there is a dedicated firewall 
> sitting between the server and the Web which allows only SSH connections 
> to come through.

Personally, I still prefer iptables.  Block them at the NIC level (or as
close as you can).  Why let them in any further than you absolutely have
to?

> > If you must leave ssh open to the outside world, use a simple iptables
> > ruleset to limit attempts:
> *snip*
> > If more than one ssh attempt is made in 180 seconds (three minutes)
> > from a given IP address, this blocks that IP address for that duration.
> > You get one try.  If you fail, you must wait 3 minutes before you can
> > try again.
> > 
> > Note that even a successful login is counted.  If you log in and
> > immediately log out, you still have to wait 3 minutes to get in again.
> > 
> > Change the "--hitcount 2" bits to "--hitcount 3" if you want to give
> > yourself two tries to get in.  You can also change the "--seconds 180"
> > to "--seconds 300" to make the delay 5 minutes.  The values I give above
> > are enough to discourage most script kiddie attempts to get into your
> > box.
> 
> This is an excellent idea! Thanks a lot.

You're welcome.

> My original concern, more of a curiosity really, was about the username 
> NOUSER. I've be getting attempts for root ever since this server went 
> live. But never for "NOUSER".

If you're still getting SSH crack attempts even though there's a
firewall out there, then you're either getting hit from someone you
"trust" or it's coming from inside your network.  I'd start an audit PDQ
(pretty damned quick) and find the culprit.  Undoubtedly some twit
with a Windows box is infected, either by getting hacked or by opening
an email with a worm attached.

Windows: The Typhoid Mary of operating systems.  If it isn't a virus,
itself, it sure as hell is a carrier!

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens at internap.com -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-        Change is inevitable, except from a vending machine.        -
----------------------------------------------------------------------




More information about the fedora-list mailing list