Roger Bumgarner wrote:
ALLOW rules and SSH-keys. Using a non-standard port will stop the
majority of automated attackers, but a dedicated attack will find
you're SSH server: it only takes 20-30mins to portscan 1-65535.
Not necessarily:
http://jengelh.medozas.de/documents/Chaostables.pdf
I've included something like:
iptables -N deceive
iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT
--reject-with icmp-proto-unreachable
iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT
--reject-with icmp-net-prohibited
iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT
--reject-with icmp-host-prohibited
iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT
--reject-with icmp-port-unreachable
iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT
--reject-with icmp-host-unreachable
iptables -A deceive -m statistic --mode random --probability 0.003 -j REJECT
--reject-with icmp-net-unreachable
iptables -A deceive -p tcp -m statistic --mode random --probability 0.003 -j
REJECT --reject-with tcp-reset
iptables -A deceive -j DROP
then some ALLOW rules:
...
iptables -A INPUT -p tcp --dport $SSH_PORT -m hashlimit --hashlimit-name sshlimit --hashlimit-mode srcip --hashlimit-upto 25/minute
--hashlimit-burst 25 --hashlimit-htable-expire 120000 -j ACCEPT
....and then:
iptables -A INPUT -j deceive
That causes full portscan w/ nmap to take a week or so.
Apart from that I use portsentry and fail2ban.
Rgds,
Marcin
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
