[CentOS] Paranoid Firewalling
maze at cela.pl
Wed Sep 7 00:16:38 UTC 2005
Instead of keeping the ssh port open, use something like the following:
-A INPUT -p tcp --dport SECRETPORT# -m recent --set
-A INPUT -p tcp --dport ssh -m state --state NEW -m recent --update
--seconds 43200 -j ACCEPT
and then before ssh'ing in from outside telnet the SECRETPORT# on the
machine in order to open the ssh port for the next 12 hours.
Gets rid of script kiddies.
On Tue, 6 Sep 2005, Sam Drinkard wrote:
> If you don't mind, could you let me know where that script is? I'm seeing
> the same thing -- kiddies trying to log in. I use something similar, but
> manual entry on my mail server that is in a co-lo site running FreeBSD. Here
> at home, I thought I'd be pretty well protected behind the router, but I have
> to have the ssh port open, and I'm seeing hundreds of attempts.
> Kirk Bocek wrote:
>> Good question Alex. However, I've never studied the scripts that 'script
>> kiddies' use and so have no answer.
>> Part of what has prompted this change is the recent surge of brute-force
>> password attacks. From the timing of the password attempts, it's clear that
>> these are script driven.
>> I found a perl script that watches for failed logins. After a configurable
>> number, the script enters the IP address into /etc/hosts.deny. After a
>> configurable number of days, the script then removes the IP address.
>> What I see in /var/log/secure is a whole series of 'Invalid user' messages
>> followed by 'Failed password for invalid user' messages. These will then,
>> because of the script, be terminated by a 'refused connect from' message
>> when the address is entered into hosts.deny.
>> My point in all this is that I only ever see *one* 'refused connect'
>> message. So at least for this script, it gives up when it can't connect
>> Kirk Bocek
More information about the CentOS