[NCLUG] iptables ssh protection, but with Linksys WRT54G DD-WRT?
Jeffrey D. Means
meaje at meanspc.com
Sun Apr 16 11:27:29 MDT 2006
There is an even simpler way of dealing with this problem... move the
port SSH listens to for outside your network. Along with a proper
banner it is then easy to contact ISP's when someone does attack your
box(es) although anymore attacks usually come second hand from another
compromised platform... but at least it gives you a place to focus on
limiting access from. I actually like to run my SSH external server
without password access, PKI only for logins along with changing my port
to 2600. Hope this helps someone a little.
--Jeff
On Wed, 2006-04-12 at 14:09 -0600, Benson Chow wrote:
> First off, thanks Hugh for the presentation. I was wonderring what people
> were doing with all these annoying ssh attempts, this surely couldn't be
> an issue I'm fighting myself.
>
> So I tried the ssh limiting iptables rules on my 2.6 server box, this
> seemed to work just fine. Exactly what I needed! I was more concerned
> about people wasting my bandwidth and filling my logfiles with useless
> failed dictionary attempts than people cracking my box at this point.
> Less noise in logfiles is always better!
>
> I'd also like to get the same kind of protection working on my WRT54G
> router. I tried the same commands, but wasn't quite sure about the device
> needed. So, I tried each one, including the virtual devices. In any case
> none of the command sets seemed to halt connections after too many connect
> attempts. The commands resulted in no errors when executed, either. The
> corresponding .so iptables module file seems to be on the filesystem, so
> that should be OK.
>
> The main difference other than hardware is that the router is running
> Linux 2.4.32 instead of 2.6.15. Anyone able to get these rules working on
> a 2.4 box?
>
> This router is not running Linksys firmware, it's using DDWRT2.3.
> Iptables version matches my 2.6 box.
>
> Thanks,
>
> -bc
>
> p.s. Oh.... I used to have anyone in the netblocks 210. to 213. all return
> a random number of /dev/urandom bytes. Just hoping, that someday
> /dev/urandom generates a byte sequence fatal/buffer overflows their
> attacking script...
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify
> your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
--
Jeffrey D. Means <meaje at meanspc.com>
More information about the NCLUG
mailing list