[tor-relays] List of Relays' Available SSH Auth Methods
Toralf Förster
toralf.foerster at gmx.de
Tue Nov 18 17:28:16 UTC 2014
On 11/18/2014 05:45 PM, Zack Weinberg wrote:
> On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster <toralf.foerster at gmx.de> wrote:
>> On 11/18/2014 04:28 PM, Jeroen Massar wrote:
>>> People should realize though that it is not 'safer' in any way running
>>> SSH on another port.
>>
>> But it is (slightly) more expensive - which counts, or ?
>
> In my limited experience, moving SSH to another port made no apparent
> difference to the number of random attempts to break in. I'd
> recommend fail2ban or equivalent instead.
>
Well, I do have an alternate port and my ip tables shows me this :
$> wc /proc/net/xt_recent/FAILED_SSH_*
4 61 643 /proc/net/xt_recent/FAILED_SSH_ALT_LOGIN
149 1284 12182 /proc/net/xt_recent/FAILED_SSH_LOGIN
These are the iptables rules :
# block brute force attacks against ssh, fake the 22
#
$IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate NEW --match recent --name FAILED_SSH_LOGIN --set
$IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 300 --hitcount 2 -j REJECT --reject-with tcp-reset
$IPT -t filter -A INPUT -p tcp --destination-port <snip> --match conntrack --ctstate NEW --match recent --name FAILED_SSH_ALT_LOGIN --set
$IPT -t filter -A INPUT -p tcp --destination-port <snip> --match conntrack --ctstate ESTABLISHED --match recent --name FAILED_SSH_ALT_LOGIN --update --seconds 300 --hitcount 2 -j DROP
--
Toralf
pgp key: 0076 E94E
More information about the tor-relays
mailing list