On Jan 17, 2012 6:11 AM, "Mick" <michaelkintz...@gmail.com> wrote: > > On Monday 16 Jan 2012 01:35:04 Pandu Poluan wrote: > > On Jan 16, 2012 12:58 AM, "Walter Dnes" <waltd...@waltdnes.org> wrote: > > > On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote > > > > > > > This is nothing like changing the port for SSH - a port scanner can > > > > figure that one out in seconds... > > > > > > A real BOFH would set up a dummy instance of sshd on the regular port, > > > > > > as well as a real sshd instance on another port. The dummy instance > > > could be set up to always fail the login attempt, and with special > > > iptable rules to not clutter up your logfile. > > > > And don't forget to put the false sshd through a tc rule that chokes the > > return traffic to 1 cps B-) > > > > Of course, being the "real sysadmin" a.k.a lazy slob that I am, that's way > > too much work for not enough bastardly pleasure... I can't gleefully see > > the face of people trapped in the tc hell :-P > > > Can you set up tc by port? I thought it is only applicable to an interface. > I need to brush up on this one day.
Actually, yes, by using u32 match. But I prefer to just MARK the packet in iptables and match against that. Rgds,
