[CentOS-docs] Fwd: mistake on Securing SSH

Thu Mar 7 17:12:55 UTC 2013
Ned Slider <ned at unixmail.co.uk>

On 07/03/13 02:28, Timothy Lee wrote:
> This was sent to me regarding the wiki.
> ---------- Forwarded message ----------
> From: "Martin Koníček" <mkonicek12 at gmail.com>
> Date: Mar 7, 2013 4:44 AM
> Subject: mistake on Securing SSH
> To: <timothy.ty.lee at gmail.com>
> Cc:
>
> Hi TImothy,
>
> I saw wiki http://wiki.centos.org/HowTos/Network/SecuringSSH and it is
> pretty good, but there is a mistake.
>
> *Instead of having*
> iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
> iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60
> --hitcount 4 --name ssh --rsource -j ACCEPT
>
> *You should have*
> iptables -A INPUT -p tcp --dport 22 *-m state --state NEW* -m recent --set
> --name ssh --rsource
> iptables -A INPUT -p tcp --dport 22 *-m state --state NEW* -m recent !
> --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
>
> Brgds.
> --
> Martin
>
>



Many thanks for forwarding Timothy, and to Martin for the feedback.

Updated, although personally I prefer to accept established/related 
connections earlier in the chain prior to deploying such a rule, for 
example:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

At which point, any packets matching that rule are by definition new. 
Still, it's a valid point.