On 2011/12/30 00:14, MT Julianto wrote:
On 27 December 2011 21:02, jdow <j...@earthlink.net <mailto:j...@earthlink.net>>
wrote:
If the server is not busy that might be an interesting way to keep
hackers out of the machine. It would also make my log files smaller.
Indeed, I found some traces of intruder trying to get root access via ssh, but
none is succeeded. Now, I use fail2ban (available at atrpms) to handle them.
-Tito.
I find zero to five tries a day. For some strange reason every try is from a
different address.
I have my own iptables script with lines like these in it:
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
--log-level info
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
The -m recent, -seconds 60, and --hitcount 2 phrases are the magic. Much of
that is so that I get the rejects logged, thanks to my sick curoisity.
This allows me to typo the password. All I have to do is wait a couple minutes
between tries (Not all the portable hardware has a good enough ssh
implementation I can eschew passwords.) I also use this for pop3s and imaps,
neither of which have been attacked, yet. That's a little easier than trying
to tunnel pop3 or imap through ssh.
{^_^}
