Re: hardening SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2007-08-16 at 17:41 -0400, Michael Klinosky wrote:
> Knute:
> > 200.100.0.0/16 or 200.100.0.0/255.255.0.0
> 
> So, would this line work in sshd_config?
> ListenAddress 200.100.0.0/255.255.0.0
> 
> I want to check before I go to that remote computer and try logging in 
> (it's more than an hour drive).

If you only want to allow incoming ssh sessions from that address
block, use iptables and insert a rule:

-A INPUT -p tcp -m tcp -s 200.100.0.0/16 --sync --dport 22 -j ACCEPT

and make sure the last rule is something like:

-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP

to drop any other connection attempts other than the ones allowed above
it.  Personally, I wouldn't open ssh to such a wide IP range (a /16 is
pretty damned big), and if I did, I'd sure put in a "you get X attempts,
and then I block you" rule.

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             [email protected] -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-   "Do you suffer from long-term memory loss?"  "I don't remember"  -
-                            -- Chumbawumba, "Amnesia" (TubThumping) -
----------------------------------------------------------------------


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux