Hello,
Can someone give me an example for using static IPTABLES based solution (only connection from a white listed IP adresses)
Thanks in advance
Puma
New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
SSH brute force attack prevention
Re: SSH brute force attack prevention
Linux is like a wigwam - no windows, no gates, apache inside!
Re: SSH brute force attack prevention
I have been using the host.deny and hosts.allow to "protect" my bubba
In my host.deny I have this
ALL: ALL
and in my hosts.allow I have list of trusted hosts that I allow to connect
I this the best way approach this? Which problems can I expect? Should I use iptables instead=
In my host.deny I have this
ALL: ALL
and in my hosts.allow I have list of trusted hosts that I allow to connect
I this the best way approach this? Which problems can I expect? Should I use iptables instead=
Re: SSH brute force attack prevention
This is what I'm using. Add this to the end of your INPUT rules (in /etc/networking/firewall.conf)
Note that I commented out the logging command. As I've written it, it would log every single attack attempt, and that might flood the log. I don't really care to do anything but drop those connections anyway, so I commented it out. There's a way to rate-limit the log messaging, which would be a great compromise, but I didn't bother to work that out.
Code: Select all
-A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSH
#-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH Attack: "
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPTRe: SSH brute force attack prevention
Thanks for taking the time to help, I really apprciate it.
Re: SSH brute force attack prevention
Another way is to implement port knocking as described here:
http://forum.excito.net/viewtopic.php?f=8&t=1399
http://forum.excito.net/viewtopic.php?f=8&t=1399
Re: SSH brute force attack prevention
Yes, that's a great alternative too. Only downside is that you have to have ready access to a knock client on any machine from which you intend to original an SSH connection. But honestly, I think that in my case, I would. Might have to look into this more.
Re: SSH brute force attack prevention
If you have telnet or a web browser on your computer you can use them to knock so thats pretty much a non issue. But yes it is a bit cumbersome.mcg wrote:Yes, that's a great alternative too. Only downside is that you have to have ready access to a knock client on any machine from which you intend to original an SSH connection. But honestly, I think that in my case, I would. Might have to look into this more.
Re: SSH brute force attack prevention
I have some practises I use to prevent being vulnerable to brute force attack
1. relocate the ssh port, from example not 22 but 6666, as all scanners are looking for easy targets on port 22.
2. only have ssh port exposed to those servers that i really need/want access to using ssh.
3. only allow a ssh key and not a password.
4. or have a really good password (system) http://forum.excito.net/viewtopic.php?f=8&t=1007
tip: listen to http://www.grc.com/sn
1. relocate the ssh port, from example not 22 but 6666, as all scanners are looking for easy targets on port 22.
2. only have ssh port exposed to those servers that i really need/want access to using ssh.
3. only allow a ssh key and not a password.
4. or have a really good password (system) http://forum.excito.net/viewtopic.php?f=8&t=1007
tip: listen to http://www.grc.com/sn
cheers
Eek
Eek