Re: I love IP Tables....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El Sábado, 26 de Mayo de 2007 12:19, jdow escribió:
> From: "Amadeus W.M." <amadeus84@xxxxxxxxxxx>
>
> >> People asked - here is the answer:
> >> # Then setup the reject trap
> >> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack
> >> --set $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name
> >> sshattack \
> >>   --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
> >> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> >>   --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
> >>
> >>
> >> Adapt it to your configuration, of course. {^_^}   (I probably should
> >> have included that in the first email for
> >>         politeness. Please 'scuse me.)
> >
> > You do know, that if you run ssh on your pet's birthday port, rather than
> > 22, you will not see any of the crap brute force attacks, don't you?
>
> Yes, but then I've faced enough port scans to realize that security
> through obscurity is horse feathers.
>

I didn't pretend to say that hidding your port would be the KEY of all the ssh 
security :-)
It's just one more barrier to the script-kiddies. From my point of view the 
best way to avoid bruteforce attacks it's only allow public-private key 
authentication.


-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux