Re: how to find trace of attacks
> fail2ban
> knockd
> knocker
> denyhosts
> http://www.debian-administration.org/articles/187
> http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
If you know where you'll be sshing in from, you can use iptables to
deny access to the appropriate port with MAC filtering and possibly IP
range rules.
Something like:
iptables -A INPUT -p tcp --dport 22 -m mac --mac-source XX:XX:XX:XX -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
This way you can forbid connections to your SSH port from anybody but
the trusted MAC address. MAC addresses can be spoofed, of course, but
this is one more layer that an attacker would have to jump through,
without requiring much of any effort on your part to set up, and it
will read as "no sshd provided" to a script-kiddie doing a port scan.
If you add a few lines to drop packets for the SSH port from any but a
small trusted range of IP addresses, you increase the security even
further.
Of course you should take all the precautions you can.
On Wed, Dec 31, 2008 at 12:17 PM, Daryl Styrk <darylstyrk@gmail.com> wrote:
> Douglas A. Tutty wrote:
>> On Wed, Dec 31, 2008 at 01:28:47PM +0100, Abdelkader Belahcene wrote:
>>> I am simpler user on laptop, with ssh server running. Ther is no
>>> important data on my laptop!!!
>>
>> Curious. Why any server running on a laptop? Do you limit the ssh to
>> rsa/dsa or do you allow passwords? IOW, how have you hardened up the
>> ssh server?
>>
>> Doug.
>>
>>
>
> fail2ban
> knockd
> knocker
> denyhosts
>
> http://www.debian-administration.org/articles/187
>
> http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
>
> Look over those..
Reply to: