[CentOS] Ideas for stopping ssh brute force attacks

Tue Jul 22 01:53:43 UTC 2008
Bo Lynch <blynch at ameliaschools.com>

On Mon, July 21, 2008 6:47 pm, Bill Campbell wrote:
> On Tue, Jul 22, 2008, D Steward wrote:
>>On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote:
>>> When using denyhosts, you'll want to keep your IP's in hosts.allow so
>>> even if you're "banned" you can still get access. :-)
>>
>>Yup.
>>Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter
>>various subnets to stay safe. :(
>
> If you do not allow password authentication and use good pass
> phrases on your identity, the only thing really gained by
> restricting on IP ranges is restricting the number of reject
> messages in your log files.  The fail2ban program does a nice job
> of limiting the number of rejection messages in the logs.
>
> Another possibility is to set up OpenVPN on your system, which
> authenticates on ssl certificates and works nicely even from
> dynamic IPs behind NAT.  Then you can ssh into the private LAN
> behind your firewall via OpenVPN.
>
> Bill
> --
> INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
> URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
> Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
> Fax:            (206) 232-9186
>
> Foreign aid might be defined as a transfer from poor people in rich
> countries to rich people in poor countries -- Douglas Casey
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
Bill,

we have been looking at implementing OpenVPN to allow access to the
internal LAN. For a firewall, we basically have iptables with 2 nics doing
NAT. So would the OpenVPN server live inside of our private network and
just do some forwards with iptables on the firewall or would it be better
to implement it with by itself with 2 nics one on the public and one on
the private?