Third tip: run openVPN on your server and disallow public access to all non VPN IPs to all ports and open only those to public you really need. Keep OpenVPN updated to avoid stuff like the past heart bleed attack and rotate certificates. Connect to VPN to access all "privileged" ports that are only available through VPN.
Cheers, Sebastian > On 03 Apr 2015, at 11:41, Hasan Akgöz <hasanak...@mail.ru> wrote: > > second tip ; > > It does this by using simple Access List Rules which are included in the two > files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by placing > the following inside /etc/hosts.allow: > > /etc/hosts.allow > sshd: 1.2.3.0/255.255.255.0 ( 1.2.3.0 secure network ) > > Then disallow all further access by placing this in /etc/hosts.deny: > > /etc/hosts.deny > sshd: ALL > > third tip : > > Change the absolute ssh port. For example 2122 . > > > > > 2015-04-03 17:01 GMT+03:00 Dan McAllister <q...@it4soho.com>: >>> On 4/2/2015 5:20 PM, Dave M wrote: >>> This should make you smile >>> >>> I have just this minute finished an install of Centos7 to prepare for the >>> qmail-toaster install. >>> >>> After the first update , and reboot, I logged in via ssh >>> >>> Up pops the security message: >>> >>> There were 249 failed login attempts since the last successful login. >>> >>> Thankfully the default firewall took care of them >>> >>> Just be careful doing installs with live external IP, and disabling the >>> firewall until you are done >>> >>> Made me laugh : ) >> >> Just a tip -- >> >> Instead of leaving your SSH port open, put a connection limit on it: >> >> The following entries are from an iptables config file: >> >> -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT >> -A INPUT -p tcp --dport 22 -j DROP >> >> You can fail your login attempt twice per minute, then you're dropped for >> the remainder of the minute. >> In most cases, they fail the login twice in like a 10-second period, fail a >> few more times (with unsuccessful connections this time) and finally quit -- >> blissfully unaware that they could try 2 more times in 60 seconds. >> >> The point is, if you're just fat-fingering your SSH password, no worries - >> wait 60 seconds.... >> But if you're trying a brute-force attack, good luck -- instead of hundreds >> of tries per minute, you now get just 2... >> >> Needless to say, you can adjust to your own recipe... >> >> Dan McAllister >> IT4SOHO >> >> >> -- >> IT4SOHO, LLC >> 33 - 4th Street N, Suite 211 >> St. Petersburg, FL 33701-3806 >> >> CALL TOLL FREE: >> 877-IT4SOHO >> >> 877-484-7646 Phone >> 727-647-7646 Local >> 727-490-4394 Fax >> >> We have support plans for QMail! >> >
