Blocking repeat SSH attacks with IPTables http://www.dsrtech.com/sshblock/ On Thu, 2004-10-14 at 19:10, STYMA, ROBERT E (ROBERT) wrote: > One more lockdown on ssh I have not seen mentioned recently > is /etc/hosts.allow and /etc/hosts.deny. The sshd uses these. > If you have some idea of where people will be ssh'ing from, you > can limit the IP ranges, or domain names which can get past > in. If you don't match the list, you never even get to the login > prompt. For example, my home ssh only allows the IP address of > my machine at work to get a login prompt. > > Note that sshd (and tcpwrappers) looks at hosts.allow first and if > it gets a thumbs up you get a login prompt. It then looks at > hosts.deny. If you are not covered by this list, YOU GET IN! > You probably want a hosts.deny file that reads: > > ALL: ALL > > That blocks everything except what is in hosts.allow. > > If you have a lot of people coming in from very diverse IP addresses, > you could play the reverse game and use the hosts.deny to just block > the IP ranges you see trolling. Lot of flexibility here. Breaking in > to ssh is even harder when you can't get a login prompt. > > Robert E. Styma > Principal Engineer (DMTS) > Lucent Technologies, Phoenix > Email: stymar@xxxxxxxxxx > Phone: 623-582-7323 > FAX: 623-581-4390 > Company: http://www.lucent.com > Personal: http://www.swlink.net/~styma
