Vivek J. Patankar wrote:
Rick Stevens wrote:
I have iptables rules that only allow ssh tries from our networks or
machines I know of. To wit:
# Accept SSH from our networks...
-A INPUT -s aaa.bbb.ccc.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ddd.eee.fff.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
# Accept SSH from my machine at home...
-A INPUT -s ggg.hhh.iii.jjj/32 -p tcp -m tcp --dport 22 -j ACCEPT
(more rules...)
At the end, put in a blanket "don't allow SSH from anywhere else" rule:
# Block any ssh attempts from outside our network...
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
REJECT --reject-with icmp-port-unreachable
I have restricted access to specific IPs only using hosts.deny and
hosts.allow. That does the job for me. And there is a dedicated
firewall sitting between the server and the Web which allows only SSH
connections to come through.
If you must leave ssh open to the outside world, use a simple iptables
ruleset to limit attempts:
*snip*
If more than one ssh attempt is made in 180 seconds (three minutes)
from a given IP address, this blocks that IP address for that duration.
You get one try. If you fail, you must wait 3 minutes before you can
try again.
Note that even a successful login is counted. If you log in and
immediately log out, you still have to wait 3 minutes to get in again.
Change the "--hitcount 2" bits to "--hitcount 3" if you want to give
yourself two tries to get in. You can also change the "--seconds 180"
to "--seconds 300" to make the delay 5 minutes. The values I give above
are enough to discourage most script kiddie attempts to get into your
box.
This is an excellent idea! Thanks a lot.
yum info fail2ban
yum install fail2ban
The fail2ban package dynamically blocks/unblocks IP addresses based on
password failures...
