Stealthing Ports in system-config-securitylevel was: SSH brute force attack
Paul Jakma
paul at dishone.st
Tue May 3 10:09:38 UTC 2005
On Thu, 28 Apr 2005, Roger Grosswiler wrote:
> We have a nice tool called system-config-securitylevel, why isn't
> it possible to indicate some ips or ranges there an click to
> "stealth" so, this port is just visible to the indicated
> ip-adresses??
Usually with ssh you want it generally accessible. The 'recent'
module is useful though, to slow-down brute force attacks:
# grep ssh-scan /etc/sysconfig/iptables
:ssh-scan - [0:0]
-A infilter -j ssh-scan
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j LOG --log-prefix "SSH Scan: "
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP
(as seen on Debian Planet).
The hitcount parameter probably should be reduced to 3 to 5 though
(I use 8 to filter ssh to a whole subnet).
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
You will lose an important tape file.
More information about the fedora-test-list
mailing list