Re: checking if my system is compromised
John L Fjellstad wrote:
>
> I usually enable the recent module in iptables, which means that you can
> only login once every 1 minute or so. It usually give the attacker only
> one try before they get shut down.
>
> Example:
> # allow established and related connection
> /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # if a NEW or INVALID package comes in, and it is in our list within the
> # last 60 seconds, drop the package
> /sbin/iptables -A INPUT -m state --state NEW,INVALID -m recent --update
> --seconds 60 -j DROP
>
> # allow new connections to ssh port, add the ip address to our recent
> # list
> /sbin/iptables -A INPUT -p ssh --dport ssh -m state --state NEW,INVALID
> -m recent --set -j ACCEPT
>
[msg snipped]
> Also, in /etc/hosts.deny, set
> ALL: PARANOID
>
Thanks for tip on iptables. iptables look a bit heavy for me (lot of reading
to do). So currently I am using /etc/hosts.allow, /etc/hosts.deny for
controlling the IPs which can ssh into this machine. If I find them
inadequate, I will use iptables.
raju
--
Kamaraju S Kusumanchi
http://www.people.cornell.edu/pages/kk288/
http://malayamaarutham.blogspot.com/
Reply to: