El Sábado, 26 de Mayo de 2007 12:19, jdow escribió:
> From: "Amadeus W.M." <amadeus84@xxxxxxxxxxx>
>
> >> People asked - here is the answer:
> >> # Then setup the reject trap
> >> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack
> >> --set $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name
> >> sshattack \
> >> --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
> >> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> >> --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
> >>
> >>
> >> Adapt it to your configuration, of course. {^_^} (I probably should
> >> have included that in the first email for
> >> politeness. Please 'scuse me.)
> >
> > You do know, that if you run ssh on your pet's birthday port, rather than
> > 22, you will not see any of the crap brute force attacks, don't you?
>
> Yes, but then I've faced enough port scans to realize that security
> through obscurity is horse feathers.
>
I didn't pretend to say that hidding your port would be the KEY of all the ssh
security :-)
It's just one more barrier to the script-kiddies. From my point of view the
best way to avoid bruteforce attacks it's only allow public-private key
authentication.
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
