[plug] ssh scans

Jonathan Young jonathan at pcphix.com
Tue Sep 19 18:39:41 WST 2006 

I would also suggest preventing ssh shell access for users with dodgy 
passwords or for those who don't need it.

For example, on most of my Linux boxes, I have ssh access and sudo 
rights, but you cannot log in as root via ssh.

Stuart Midgley wrote:
> rules like these can also assist
>
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW 
> -m recent --set --name SSH --rsource
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW 
> -j SSH_WHITELIST
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW 
> -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH 
> --rsource -j LOG --log-prefix "SSH_brute_force"
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW 
> -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH 
> --rsource -j DROP
>
> which only accept 5 connections in 60s to port 22... if it gets more 
> than that, it drops the packets.  Doesn't work with old versions of 
> iptables.
>
> Stu.
>
>
>
> On 11/09/2006, at 9:34, Shannon Carver wrote:
>
>> Interesting!  Jason's IPB Monitor sounds like a good all-in-one package,
>> might give it a go tonight for my home Machine.
>>
>> I'm lucky in my current position, that most of the boxes I 
>> administer, I do
>> so on my own, so I can limit SSH connections to a set of IP's where 
>> I'll be
>> connecting from, or in the case that other users do need SSH access 
>> to the
>> system they're usually only connecting from Work connections anyway 
>> (static
>> IPs), VPN etc.
>>
>> Thanks for the IPB monitor link!
>
>
> -- 
> Dr Stuart Midgley
> Industry Uptake Program Leader
> iVEC, 'The hub of advanced computing in Western Australia'
> 26 Dick Perry Avenue, Technology Park
> Kensington WA 6151
> Australia
>
> Phone: +61 8 6436 8545
> Fax: +61 8 6436 8555
> Email: industry at ivec.org
> WWW:  http://www.ivec.org
>
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>


-- 
Jonathan Young
Director of PC-PHIX
jonathan at pcphix.com

Phone: 0410 455 674
Web: http://www.pcphix.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20060919/3cc12801/attachment.html>

More information about the plug mailing list