26 Jan
2011
26 Jan
'11
3:29 p.m.
On 26/01/11 14:34, Andy Parkins wrote:
On 2011 January 26 Wednesday, Andy Smith wrote:
Doesn't this also deny you access to your server if someone's probing it?
I recommend something like Fail2Ban for
protecting SSH because your
typical SSH scanner connects and tries thousands of
username/password combinations. You block them and then they move
on. So there's value in blocking them.
On the subject of stopping these
annoying ssh scans, in case it's useful to
you here's the firewall rules I use:
iptables -A DropChain \
-p tcp --dport 22 \
-m state --state NEW \
-m recent --set --name SSH_PROBES
iptables -A DropChain \
-p tcp --dport 22 \
-m state --state NEW \
-m recent --update --hitcount 7 --seconds 60 --name SSH_PROBES \
-j DROP
Then I add DropChain to INPUT chain early on.
iptables -A INPUT -j DropChain
The first rule tags any new ssh connection with the name SSH_PROBES. The
second drops any new SSH_PROBES connection that is the seventh within 60
seconds. You can change the 7 and 60 to suit your own circumstances.
This pretty much eliminated the malicious ssh probes on my system. Leaving me
with a few attempts on the root account, rather than page after page of brute
force attempts.