[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh doesn't work.

	Hi.

On Thu, 8 Dec 2016 15:37:45 +0000
Darac Marjal <mailinglist@darac.org.uk> wrote:

> On Thu, Dec 08, 2016 at 01:18:38AM +0300, Reco wrote:
> >On Wed, 7 Dec 2016 15:54:46 -0500
> >Henning Follmann <hfollmann@itcfollmann.com> wrote:
> >
> >> On Wed, Dec 07, 2016 at 11:28:53PM +0300, Reco wrote:
> >> > 	Hi.
> >> >
> >> > On Wed, 7 Dec 2016 21:14:51 +0200
> >> > Antti Talsta <atalsta@nothingtosee.org> wrote:
> >> >
> >> > > On Wed, Dec 07, 2016 at 01:49:34PM -0500, Greg Wooledge wrote:
> >> > >
> >> > > > Changing the port at least decreases the number of brute force attacks
> >> > > > against you, which saves resources (bandwidth, CPU) that are otherwise
> >> > > > wasted by the attackers.
> >> > >
> >> > > How about fail2ban for that?
> >> >
> >> > How fail2ban can help against an army of bots trying one single
> >> > password per bot?
> >> >
> >> That actually works well. Usually it's multiple attempts from one ip.
> >> fail2ban catches exactly that. And then blacklists that ip.
> >
> >Probably it is so. It's been awhile since I ran publicly accessible
> >sshd on port 22 with password authentication enabled.
> >
> >Personally I prefer a bunch of simple iptables rules to fail2ban
> >though. After all, why bother running a userspace tool, if you can
> >force the kernel itself to do the job?
> 
> Could you share with the group what "simple iptables rules" you use? I 
> presume that iptables, by itself, can't replicate the idea of "block 
> after X failures in Y minutes", but presumably you're using some kind of 
> rate limiting, instead?

Sure. It's in archives somewhere already, but:

iptables -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW \
-m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 8 \
--hashlimit-mode srcip --hashlimit-name ssh \
--hashlimit-htable-expire 65536 -m comment --comment "HTTPS Blocker" \
 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
-m comment --comment "HTTPS Blocker" -j DROP

Back in the day I was not that lazy for building kernel modules I used
TARPIT instead of DROP.


PS From the previous discussion of this very topic I was pointed that
such iptables configuration is unsuitable for certain 'Modern Desktop
Environment'. Therefore this iptables configuration should be used on
'understand what I'm doing' basis.

Reco
Reply to: