[plug] firewalling ssh
Tim Bowden
tim.bowden at westnet.com.au
Mon Jan 8 23:16:13 WST 2007
On Mon, 2007-01-08 at 18:27 +0900, Bernd Felsche wrote:
> Tim Bowden <tim.bowden at westnet.com.au> writes:
>
> >I'm trying to protect a debian box from ssh attacks. I need to be
> >able to ssh in from anywhere so I need to keep port 22 open. What I
> >would like to do though is drop connection requests from any
> >address that attempts to connect more than three or four times in
> >less than a minute. Any ideas on how to do it? What I'd like to
>
> You've never mis-typed a password? Twice?
>
Yes. Most certainly, and more than twice, though rarely more than 3
times. By the third go, I'm going real slow hitting each key with great
care, feeling rather clumsy and foolish.
> >do is an iptables rule that does rate limiting syn packets per each
> >source address but I don't believe that's possible (at least out of
> >the box).
>
> You should also look at "port knocking".
>
> This means that you don't run the sshd (at the usual port) but with
> a deft sequence of hitting a pre-defined sequence of ports within a
> short period of time, you then set the sshd to listen to the IP
> address from which you're knocking... for a minute.
>
> Connection by pre-shared key is also possible which frustrates
> dictionary attacks for trying to get access. Change the key
> irregularly.
Never heard of it, but I'm intrigued. Will read up on it.
Thanks,
Tim Bowden
More information about the plug
mailing list