Roger Bumgarner wrote:
ALLOW rules and SSH-keys. Using a non-standard port will stop the majority of automated attackers, but a dedicated attack will find you're SSH server: it only takes 20-30mins to portscan 1-65535.
Not necessarily: http://jengelh.medozas.de/documents/Chaostables.pdf I've included something like: iptables -N deceive iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT --reject-with icmp-proto-unreachable iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT --reject-with icmp-net-prohibited iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT --reject-with icmp-host-prohibited iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT --reject-with icmp-port-unreachable iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT --reject-with icmp-host-unreachable iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT --reject-with icmp-net-unreachable iptables -A deceive -p tcp -m statistic --mode random --probability 0.003 -j REJECT --reject-with tcp-reset iptables -A deceive -j DROP then some ALLOW rules: ...iptables -A INPUT -p tcp --dport $SSH_PORT -m hashlimit --hashlimit-name sshlimit --hashlimit-mode srcip --hashlimit-upto 25/minute --hashlimit-burst 25 --hashlimit-htable-expire 120000 -j ACCEPT
....and then: iptables -A INPUT -j deceive That causes full portscan w/ nmap to take a week or so. Apart from that I use portsentry and fail2ban. Rgds, Marcin