Max wrote:
John Merritt wrote:
Hi,
Thanks to everyone who responded. I learned a lot today.
I found a cool project called DenyHosts that I just setup last evening for this purpose. I haven't used it very long, but it was very easy to setup, and seems to be working for me. I know it's cut down on the invalid user logging in /var/log/secure in a matter of a day already, and I've even left SSH traffic on port 22, just to make sure that it's being hammered on.
Check it out.
http://denyhosts.sourceforge.net/index.html
Max
a very simple way of denying repeated ssh access after the first time is to replace the
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
line in /etc/syconfig/iptables with the following two lines (the mailer might wrap them):
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name SSH --update --seconds 30 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name SSH --set -j ACCEPT
The only drawback is that a permitted user has to wait 30 seconds after the end of a ssh session before she can establish a new one.
Works very well here.
Kay