hardening SSH
Rick Stevens
rstevens at internap.com
Fri Aug 17 00:51:24 UTC 2007
On Thu, 2007-08-16 at 17:41 -0400, Michael Klinosky wrote:
> Knute:
> > 200.100.0.0/16 or 200.100.0.0/255.255.0.0
>
> So, would this line work in sshd_config?
> ListenAddress 200.100.0.0/255.255.0.0
>
> I want to check before I go to that remote computer and try logging in
> (it's more than an hour drive).
If you only want to allow incoming ssh sessions from that address
block, use iptables and insert a rule:
-A INPUT -p tcp -m tcp -s 200.100.0.0/16 --sync --dport 22 -j ACCEPT
and make sure the last rule is something like:
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
to drop any other connection attempts other than the ones allowed above
it. Personally, I wouldn't open ssh to such a wide IP range (a /16 is
pretty damned big), and if I did, I'd sure put in a "you get X attempts,
and then I block you" rule.
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- "Do you suffer from long-term memory loss?" "I don't remember" -
- -- Chumbawumba, "Amnesia" (TubThumping) -
----------------------------------------------------------------------
More information about the fedora-list
mailing list