I use this one, works great and easy to setup http://rfxnetworks.com/bfd.php On Jan 30, 2008 11:54 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote: > Message-ID: <479F2A63.2070408 at centos.org> > > On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes <johnny at centos.org> > Subject Was: [CentOS] Unknown rootkit causes compromised servers > > > > > SOME of the script kiddies check higher ports for SSH *_BUT_* I only see > > 4% of the brute force attempts to login on ports other than 22. > > > > I would say that dropping brute force login attempts by 96% is quite a > > good reason to move the SSH port from 22 to something else. > > I am not a fan of security through obscurity. If a port is open to the > internet then it must be secured whether it is well known or not and if it > is > properly secured then changing the port number customarily assigned > provides > no measurable benefit. In my opinion, arbitrarily switching port numbers > for > well known services provides only the illusion of security while often > inconveniencing the legitimate users in unpredictable, and sometimes > expensively resolved, fashions. > > To deal with brute force attacks (not just on ssh) I spent some time > tracking > down how others had dealt with the problem. I discovered thereby that one > can > use the simple linux firewall iptables to restrict the number of > connections > to a given port from a single source over a specified interval. I > therefore > added these rules to my /etc/sysconfig/iptables file: > > ... > # This is usually present in all setups but, you never know.... > # Established connections go right through. > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > ... > > # Block brute force attacks > # Drop repeated ssh connection attempts within 20 seconds interval > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 > --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource > > # Accept ssh connection if not attempted within past 20 sec. > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 > --state NEW -j ACCEPT --set --name THROTTLE --rsource > > You can change the interval from 20 seconds to whatever you feel > represents a > decent compromise between user satisfaction and security. Many > authorities > considered a value between 3 and 6 seconds sufficient to render brute > force > attacks impractical. These rules can be trivially modified to protect any > destination port (-dport 21 for ftp for instance) or protocol (-p udp). > > I hope this information is of use to some of you. I find this list and > its > archives very helpful myself. > > Regards, > > -- > *** E-Mail is NOT a SECURE channel *** > James B. Byrne mailto:ByrneJB at Harte-Lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080130/ca3e7b21/attachment-0005.html>