[CentOS] Problem SSH
James B. Byrne
ByrneJB at Harte-Lyne.ca
Wed Oct 26 15:10:22 UTC 2005
On Tue, 25 Oct 2005 10:54:16 -0700, Benjamin Smith <lists at benjamindsmith.com> wrote:
> Based on your question, I'll consider that you're pretty much
> using a standard iptables config.
>
> edit /etc/sysconfig/iptables
>
> Add the following line, somewhere in the middle - it allows
> inbound connections to TCP port 22:
>
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -j ACCEPT
>
> If you want to restrict access to a single IP address try this,
> it allows inbound connections to port 22 from ip address 1.2.3.4:
>
> -A RH-Firewall-1-INPUT -p tcp -s 1.2.3.4/32 --dport 22 -j ACCEPT
>
> Then restart iptables
> /etc/rc.d/init.d/iptables restart;
If you also wish to throttle new connections to the sshd daemon (a
most useful security measure in my opinion) then you can add this
to the top of your INPUT chain as well:
# sshd new connection attempts throttled to 4/min./IP addr.
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 --
state NEW -j DROP --update --seconds 60 --hitcount 4 --name
DEFAULT --rsource
# Add new sshd connection attempt to recent ip list
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 --
state NEW --set --name DEFAULT --rsource
You can alter the comparison period and connection rate values by
altering the arguments for --seconds and --hitcount appropriately.
For example, to permit no more than twelve connections from a
single IP address within any five minute period then use --seconds
300 --hitcount 12.
Regards,
Jim
--
*** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne Harte & Lyne Limited
vox: +1 905 561 1241 9 Brockley Drive
fax: +1 905 561 0757 Hamilton, Ontario
<token> = hal Canada L8E 3C3
More information about the CentOS
mailing list