yet another tip. Isolate your ip in iptables like so
-A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT using non-standard port replacing the private ip with your public IP address. The only problem with this approach is accessing it from the road where your IP is changing. On 04/03/2015 11:41 AM, Hasan Akgöz wrote: > second tip ; > > It does this by using simple Access List Rules which are included in > the two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow > access by placing the following inside /etc/hosts.allow: > > /etc/hosts.allow > sshd: 1.2.3.0/255.255.255.0 <http://1.2.3.0/255.255.255.0> ( > 1.2.3.0 secure network ) > > Then disallow all further access by placing this in /etc/hosts.deny: > > /etc/hosts.deny > sshd: ALL > > third tip : > > Change the absolute ssh port. For example 2122 . > > > > > 2015-04-03 17:01 GMT+03:00 Dan McAllister <[email protected] > <mailto:[email protected]>>: > > On 4/2/2015 5:20 PM, Dave M wrote: >> This should make you smile >> >> I have just this minute finished an install of Centos7 to prepare >> for the qmail-toaster install. >> >> After the first update , and reboot, I logged in via ssh >> >> Up pops the security message: >> >> *There were 249 failed login attempts since the last successful >> login.* >> >> Thankfully the default firewall took care of them >> >> Just be careful doing installs with live external IP, and >> disabling the firewall until you are done >> >> Made me laugh : ) > > Just a tip -- > > Instead of leaving your SSH port open, put a connection limit on it: > > The following entries are from an iptables config file: > > -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT > -A INPUT -p tcp --dport 22 -j DROP > > You can fail your login attempt twice per minute, then you're > dropped for the remainder of the minute. > In most cases, they fail the login twice in like a 10-second > period, fail a few more times (with unsuccessful connections this > time) and finally quit -- blissfully unaware that they could try 2 > more times in 60 seconds. > > The point is, if you're just fat-fingering your SSH password, no > worries - wait 60 seconds.... > But if you're trying a brute-force attack, good luck -- instead of > hundreds of tries per minute, you now get just 2... > > Needless to say, you can adjust to your own recipe... > > Dan McAllister > IT4SOHO > > > -- > IT4SOHO, LLC > 33 - 4th Street N, Suite 211 > St. Petersburg, FL 33701-3806 > > CALL TOLL FREE: > 877-IT4SOHO > > 877-484-7646 Phone > 727-647-7646 Local > 727-490-4394 Fax > > We have support plans for QMail! > > --
