More SSH 'trolling'
dave
drinker at dsrtech.com
Thu Oct 14 23:49:54 UTC 2004
Blocking repeat SSH attacks with IPTables
http://www.dsrtech.com/sshblock/
On Thu, 2004-10-14 at 19:10, STYMA, ROBERT E (ROBERT) wrote:
> One more lockdown on ssh I have not seen mentioned recently
> is /etc/hosts.allow and /etc/hosts.deny. The sshd uses these.
> If you have some idea of where people will be ssh'ing from, you
> can limit the IP ranges, or domain names which can get past
> in. If you don't match the list, you never even get to the login
> prompt. For example, my home ssh only allows the IP address of
> my machine at work to get a login prompt.
>
> Note that sshd (and tcpwrappers) looks at hosts.allow first and if
> it gets a thumbs up you get a login prompt. It then looks at
> hosts.deny. If you are not covered by this list, YOU GET IN!
> You probably want a hosts.deny file that reads:
>
> ALL: ALL
>
> That blocks everything except what is in hosts.allow.
>
> If you have a lot of people coming in from very diverse IP addresses,
> you could play the reverse game and use the hosts.deny to just block
> the IP ranges you see trolling. Lot of flexibility here. Breaking in
> to ssh is even harder when you can't get a login prompt.
>
> Robert E. Styma
> Principal Engineer (DMTS)
> Lucent Technologies, Phoenix
> Email: stymar at lucent.com
> Phone: 623-582-7323
> FAX: 623-581-4390
> Company: http://www.lucent.com
> Personal: http://www.swlink.net/~styma
More information about the fedora-list
mailing list