1 |
Hi, |
2 |
|
3 |
Le mercredi 25 octobre 2006 16:29, Longman, Bill a écrit : |
4 |
> > I've seen many recommendations for port knocking, but I feel that's |
5 |
> > unnecessarily complex when compared to simply changing the port |
6 |
> > sshd listens on. While the use of port knocking no doubt further |
7 |
> > decreases your exposure over an alternate sshd port, the difference |
8 |
> > is only a small percentage of the benefit you receive from moving |
9 |
> > away from port 22 in the first place. |
10 |
> |
11 |
> I've moved most of my public SSH ports off 22 because it reduces by |
12 |
> thousandfolds the script kiddies playing with their toys and filling |
13 |
> my logs and pipes. There is no more efficient means that will give |
14 |
> you such returns with such little effort. |
15 |
> |
16 |
> I only wish I'd done it sooner. Yeah, you'll still get port scanned |
17 |
> and someone will snoop around, but that's not in the face of the |
18 |
> storm on port 22. |
19 |
|
20 |
This is REALLY not a solution against bruteforce attacks... You say the |
21 |
reason : a port scan and the bruteforce can begin... |
22 |
|
23 |
Solutions could be : |
24 |
|
25 |
- using a daemon that analyse the logs and blacklist the guy (with |
26 |
iptables or host.deny) after X login tries, such as fail2ban (in |
27 |
portage), or |
28 |
|
29 |
- using ipt_recent like this (for example) : |
30 |
|
31 |
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m |
32 |
recent --set --name SSH |
33 |
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m |
34 |
recent --update --seconds 120 --hitcount 5 --rttl --name SSH -j DROP |
35 |
|
36 |
my 2 cents, |
37 |
Guillaume |
38 |
|
39 |
-- |
40 |
Guillaume Castagnino |
41 |
guilc@×××××××.net / casta@×××××.info |
42 |
|
43 |
-- |
44 |
gentoo-hardened@g.o mailing list |