[plug] ssh scans
Jonathan Young
jonathan at pcphix.com
Tue Sep 19 18:39:41 WST 2006
I would also suggest preventing ssh shell access for users with dodgy
passwords or for those who don't need it.
For example, on most of my Linux boxes, I have ssh access and sudo
rights, but you cannot log in as root via ssh.
Stuart Midgley wrote:
> rules like these can also assist
>
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW
> -m recent --set --name SSH --rsource
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW
> -j SSH_WHITELIST
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW
> -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH
> --rsource -j LOG --log-prefix "SSH_brute_force"
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW
> -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH
> --rsource -j DROP
>
> which only accept 5 connections in 60s to port 22... if it gets more
> than that, it drops the packets. Doesn't work with old versions of
> iptables.
>
> Stu.
>
>
>
> On 11/09/2006, at 9:34, Shannon Carver wrote:
>
>> Interesting! Jason's IPB Monitor sounds like a good all-in-one package,
>> might give it a go tonight for my home Machine.
>>
>> I'm lucky in my current position, that most of the boxes I
>> administer, I do
>> so on my own, so I can limit SSH connections to a set of IP's where
>> I'll be
>> connecting from, or in the case that other users do need SSH access
>> to the
>> system they're usually only connecting from Work connections anyway
>> (static
>> IPs), VPN etc.
>>
>> Thanks for the IPB monitor link!
>
>
> --
> Dr Stuart Midgley
> Industry Uptake Program Leader
> iVEC, 'The hub of advanced computing in Western Australia'
> 26 Dick Perry Avenue, Technology Park
> Kensington WA 6151
> Australia
>
> Phone: +61 8 6436 8545
> Fax: +61 8 6436 8555
> Email: industry at ivec.org
> WWW: http://www.ivec.org
>
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>
--
Jonathan Young
Director of PC-PHIX
jonathan at pcphix.com
Phone: 0410 455 674
Web: http://www.pcphix.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20060919/3cc12801/attachment.html>
More information about the plug
mailing list