[CentOS] Re: ssh attack
Kay Diederichs
kay.diederichs at uni-konstanz.de
Thu Feb 16 10:59:07 UTC 2006
Max wrote:
> John Merritt wrote:
>
>> Hi,
>>
>> Thanks to everyone who responded. I learned a lot today.
>>
>
> I found a cool project called DenyHosts that I just setup last evening
> for this purpose. I haven't used it very long, but it was very easy to
> setup, and seems to be working for me. I know it's cut down on the
> invalid user logging in /var/log/secure in a matter of a day already,
> and I've even left SSH traffic on port 22, just to make sure that it's
> being hammered on.
>
> Check it out.
>
> <http://denyhosts.sourceforge.net/index.html>
>
> Max
a very simple way of denying repeated ssh access after the first time is to
replace the
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
line in /etc/syconfig/iptables with the following two lines (the mailer might
wrap them):
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name
SSH --update --seconds 30 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name
SSH --set -j ACCEPT
The only drawback is that a permitted user has to wait 30 seconds after the end
of a ssh session before she can establish a new one.
Works very well here.
Kay
More information about the CentOS
mailing list