[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Great IP Auto-Ban script



> However I was told that ssh has no restriction of this type.

Nor does it need one, iptables does what you want. You can even set it to 
drop the IPs after 'n' number of minutes, hours, days, weeks or whatever.

For me, I just block port 22 from everywhere, and allow it from IPs I know 
and trust, including one public machine out on the net for when I travel. 
My LAN is pretty high visibility, so I try to lock things down as much as 
possible.

When I'm in $RANDOM_HOTEL on travel, I just ssh into this external public 
machine from the hotel LAN, check my connected IP is, ssh from the public 
machine (which I trust) into my own LAN and open port 22 for the hotel's 
/24. From there, I can then ssh directly from the hotel to my LAN without 
any issues. 

When I'm done, I pull the iptables rule that opens the hotel's network and 
its all locked down again. Simple and clean. 

sshhosts="127.0.0.1 10.0.1.0/24 1.2.3.4";  # and so on
for sshhost in $sshhosts; do
        iptables -A INPUT -j ACCEPT -p tcp -s $sshhost --dport 22
        done
iptables -A INPUT -j DROP -p tcp --dport 22

Much safer than allowing 'n' number of attempts before blocking, because 
someone COULD get it right on the first try for people who don't choose 
complicated passwords (which is what these brute force ssh attackers do, 
for the most part). 

Another option is just to set up public keys and forget the whole password 
thing altogether. 

One last option is just to use port knocking:

http://www.portknocking.org/



David A. Desrosiers
Linux on Power Developer Program Manager
daviddes@us.ibm.com

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.