1 |
On Jan 17, 2012 6:11 AM, "Mick" <michaelkintzios@×××××.com> wrote: |
2 |
> |
3 |
> On Monday 16 Jan 2012 01:35:04 Pandu Poluan wrote: |
4 |
> > On Jan 16, 2012 12:58 AM, "Walter Dnes" <waltdnes@××××××××.org> wrote: |
5 |
> > > On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote |
6 |
> > > |
7 |
> > > > This is nothing like changing the port for SSH - a port scanner can |
8 |
> > > > figure that one out in seconds... |
9 |
> > > |
10 |
> > > A real BOFH would set up a dummy instance of sshd on the regular |
11 |
port, |
12 |
> > > |
13 |
> > > as well as a real sshd instance on another port. The dummy instance |
14 |
> > > could be set up to always fail the login attempt, and with special |
15 |
> > > iptable rules to not clutter up your logfile. |
16 |
> > |
17 |
> > And don't forget to put the false sshd through a tc rule that chokes the |
18 |
> > return traffic to 1 cps B-) |
19 |
> > |
20 |
> > Of course, being the "real sysadmin" a.k.a lazy slob that I am, that's |
21 |
way |
22 |
> > too much work for not enough bastardly pleasure... I can't gleefully see |
23 |
> > the face of people trapped in the tc hell :-P |
24 |
> |
25 |
> |
26 |
> Can you set up tc by port? I thought it is only applicable to an |
27 |
interface. |
28 |
> I need to brush up on this one day. |
29 |
|
30 |
Actually, yes, by using u32 match. |
31 |
|
32 |
But I prefer to just MARK the packet in iptables and match against that. |
33 |
|
34 |
Rgds, |