Re: question about ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 30, 2004 at 10:34:36PM -0700, James McKenzie wrote:
> Ed Wilts wrote:
> >On Thu, Dec 30, 2004 at 09:19:35PM +0800, chi wrote:
> 
> >My recommended approach would be to block *all* incoming connections to
> >sshd via either /etc/hosts.deny or via iptables.  Then, add only those
> >hosts or subnets who you know need incoming access.  In my case, I allow
> >incoming access from my office subnet and from a trusted colleague but
> >everybody else is blocked.  
> 
> Example iptables lines please?

I personally don't use iptables - I prefer to do it via tcpwrappers
since it's so trivial to manage. I've masked the output below slightly
(I don't work for trusted.com, whoever they are) but you should get the 
drift.

#
# hosts.deny	This file describes the names of the hosts which are
#		*not* allowed to use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.
#

#  from %h %a to %d at `date`|tee -a /var/log/secure|mail root
ALL: ALL: spawn echo tcpwrap has detected an unauthorised connection attempt\
  from %h %a to %d at `date`|tee -a /var/log/secure|mail -s 'Unauthorized \
  Connection attempt' root

-----------------------------
#
# hosts.allow	This file describes the names of the hosts which are
#		allowed to use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.
#
ALL: LOCAL, .ewilts.org, 192.168.0.0/255.255.255.0,127.0.0.1,.trusted.com, 
sendmail: ALL
smtps: ALL

> I think the idea of using port 2222 is a better one.

A port scanner will find you.  Security by obscurity won't help you in
the long run.  The script kiddies will just add 2222 to their list of
ports to check.

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts@xxxxxxxxxx
Member #1, Red Hat Community Ambassador Program


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux