On 14/02/2013 18:51, Paul Klos wrote: > Op donderdag 14 februari 2013 04:56:53 schreef Stroller: >> >> On 14 February 2013, at 04:13, Daniel Frey wrote: >>> ... >>> I've poked into this a bit more, and every 60 seconds 5 attempts at >>> logon are being madeā¦ This weekend I'll reformat & reinstall. >> >> Excuse me if this is a dumb question, but does this machine have any ports >> open to the internet? >> >> This thread reminds me of how we sometimes hear of logfiles full of many ssh >> attempts made by script kiddies and botnets. >> >> Stroller. >> >> > Same here, I've seen multitudes of messages like this, with different user > names, in log files on servers with open ports 22. As long as you don't allow > interactive logins you shoud be fine, right? > > I think there might also be some advanced iptables hacking that might help > you block too many requests from the same source IP. This is still on my list > of stuff to look at 'some time'. > > One thing I have used with apparent succes is access a different port on the > outside, and redirect that to 22 on the inside. It's security through > obscurity, I know, but it seemed quite effective nonetheless.
That's fuzzy-feel-good security, the kind where you feel all warm and fuzzy and think you have protection. You don't, not even a little bit. All the l33t h@ckzor scripts out there can deal with simple port redirection. The solution you want is denyhosts, fail2ban, etc. There's a lot of software in that general category and it gets the job done properly. If you want to persist with obfuscated redirection, implement port knocking. It works, but it gets to be a pain rather quickly. -- Alan McKinnon [email protected]
