Passing password in ssh

John Summerfield debian at herakles.homelinux.org
Thu Jan 24 13:11:51 UTC 2008 

Aldo Foot wrote:

> 
> I have a couple of questions:
> 
> 1. If you use the connection/hour limit scheme does it mean you don't
>     use tcpwrappers and you only rely on user/password for authorization?

tcpwrappers doesn't do anything I need that I can't also do with netfilter.
> 
> 2. Is this what you use to configure five ssh connections per hour?
>     #tcplimit 22 5 hour on
?? I don't ken that.
from iptables-save:

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit 
--limit 5/hour -j LOG --log-
prefix "SSH connexion "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit 
--limit 5/hour -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j LOG --log-prefix "SSH 
connexion attack dropped "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP


Here's a logwatch summary:
Dropped 293 packets on interface eth0
   From 89.149.217.67 - 5 packets to tcp(22)
   From 116.38.112.245 - 4 packets to tcp(22)
   From 124.128.250.178 - 26 packets to tcp(22)
   From 128.135.130.42 - 1 packet to tcp(22)
   From 202.106.62.148 - 42 packets to tcp(22)
   From 203.94.8.149 - 28 packets to tcp(22)
   From 203.153.36.4 - 25 packets to tcp(22)
   From 203.174.48.70 - 28 packets to tcp(22)
   From 210.212.249.165 - 1 packet to tcp(22)
   From 219.239.218.162 - 27 packets to tcp(22)
   From 220.177.248.174 - 28 packets to tcp(22)
   From 221.13.10.139 - 78 packets to tcp(22)

Logged 27 packets on interface eth0
   From 89.149.217.67 - 2 packets to tcp(22)
   From 116.38.112.245 - 2 packets to tcp(22)
   From 124.128.250.178 - 2 packets to tcp(22)
   From 128.135.130.42 - 1 packet to tcp(22)
   From 202.106.62.148 - 3 packets to tcp(22)
   From 203.94.8.149 - 2 packets to tcp(22)
   From 203.153.36.4 - 2 packets to tcp(22)
   From 203.174.48.70 - 2 packets to tcp(22)
   From 219.239.218.162 - 2 packets to tcp(22)
   From 220.177.248.174 - 2 packets to tcp(22)
   From 221.13.10.139 - 7 packets to tcp(22)

I am more liberal with connexions from locations I may visit; I don't 
rate-limit or log.

It would take some time or improbable luck for someone to crack a 
password, even a weak one, at the rate of attempts I see.

Note too that this is my second access control; I run shorewall on the 
Internet gateway, and that blocks great gobs of people who've offended 
me. Mostly, when folk get past my antispam I do a whois search and block 
  _at_ least a /24 network, sometimes a /13. Those, I block smtp, imap 
(we don't run pop) and ssh.



-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list