[plug] firewalling ssh

Tim Bowden tim.bowden at westnet.com.au
Mon Jan 8 23:16:13 WST 2007

On Mon, 2007-01-08 at 18:27 +0900, Bernd Felsche wrote:
> Tim Bowden <tim.bowden at westnet.com.au> writes:
> >I'm trying to protect a debian box from ssh attacks.  I need to be
> >able to ssh in from anywhere so I need to keep port 22 open. What I
> >would like to do though is drop connection requests from any
> >address that attempts to connect more than three or four times in
> >less than a minute.  Any ideas on how to do it?  What I'd like to
> You've never mis-typed a password? Twice?

Yes.  Most certainly, and more than twice, though rarely more than 3
times.  By the third go, I'm going real slow hitting each key with great
care, feeling rather clumsy and foolish.

> >do is an iptables rule that does rate limiting syn packets per each
> >source address but I don't believe that's possible (at least out of
> >the box).
> You should also look at "port knocking".
> This means that you don't run the sshd (at the usual port) but with
> a deft sequence of hitting a pre-defined sequence of ports within a
> short period of time, you then set the sshd to listen to the IP
> address from which you're knocking... for a minute.
> Connection by pre-shared key is also possible which frustrates
> dictionary attacks for trying to get access. Change the key
> irregularly.

Never heard of it, but I'm intrigued.  Will read up on it.

Tim Bowden

More information about the plug mailing list