I have a mgmt machine to connect to all my servers. Then I access that mgmt machine VIA SSH W/ Keys and a passphrase. 2 factor authentication is going to be layered on as well.
-- DNK On April 3, 2015 at 3:08:50 PM, Cecil Yother, Jr. (c...@yother.com) wrote: yet another tip. Isolate your ip in iptables like so -A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT using non-standard port replacing the private ip with your public IP address. The only problem with this approach is accessing it from the road where your IP is changing. On 04/03/2015 11:41 AM, Hasan Akgöz wrote: second tip ; It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by placing the following inside /etc/hosts.allow: /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0 ( 1.2.3.0 secure network ) Then disallow all further access by placing this in /etc/hosts.deny: /etc/hosts.deny sshd: ALL third tip : Change the absolute ssh port. For example 2122 . 2015-04-03 17:01 GMT+03:00 Dan McAllister <q...@it4soho.com>: On 4/2/2015 5:20 PM, Dave M wrote: This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: There were 249 failed login attempts since the last successful login. Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : ) Just a tip -- Instead of leaving your SSH port open, put a connection limit on it: The following entries are from an iptables config file: -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP You can fail your login attempt twice per minute, then you're dropped for the remainder of the minute. In most cases, they fail the login twice in like a 10-second period, fail a few more times (with unsuccessful connections this time) and finally quit -- blissfully unaware that they could try 2 more times in 60 seconds. The point is, if you're just fat-fingering your SSH password, no worries - wait 60 seconds.... But if you're trying a brute-force attack, good luck -- instead of hundreds of tries per minute, you now get just 2... Needless to say, you can adjust to your own recipe... Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! --
