On 11/18/2014 05:45 PM, Zack Weinberg wrote:
On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster toralf.foerster@gmx.de wrote:
On 11/18/2014 04:28 PM, Jeroen Massar wrote:
People should realize though that it is not 'safer' in any way running SSH on another port.
But it is (slightly) more expensive - which counts, or ?
In my limited experience, moving SSH to another port made no apparent difference to the number of random attempts to break in. I'd recommend fail2ban or equivalent instead.
Well, I do have an alternate port and my ip tables shows me this :
$> wc /proc/net/xt_recent/FAILED_SSH_* 4 61 643 /proc/net/xt_recent/FAILED_SSH_ALT_LOGIN 149 1284 12182 /proc/net/xt_recent/FAILED_SSH_LOGIN
These are the iptables rules :
# block brute force attacks against ssh, fake the 22 # $IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate NEW --match recent --name FAILED_SSH_LOGIN --set $IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 300 --hitcount 2 -j REJECT --reject-with tcp-reset
$IPT -t filter -A INPUT -p tcp --destination-port <snip> --match conntrack --ctstate NEW --match recent --name FAILED_SSH_ALT_LOGIN --set $IPT -t filter -A INPUT -p tcp --destination-port <snip> --match conntrack --ctstate ESTABLISHED --match recent --name FAILED_SSH_ALT_LOGIN --update --seconds 300 --hitcount 2 -j DROP