>>> ... $IPTABLES_BIN -A INPUT -i $Interf -p tcp --dport 22 ...
>>> ... How can I translate this in shorewall? ...
>> ... That approach has the disadvantage that ...
> ...An even better solution (in MY opinion) ...
I'll add my two cents to this:
I've had excellent results simply by restricting the outside/source IP address
to be in the ranges of the local ISPs. Everybody else from everywhere else in
the country/continent/world that tries an SSH attack just gets the default DROP
policy. In three years I haven't had a single SSH attack (note I didn't say
"successful attack" - I said "_no_ attack".
(This is certainly not adequate security by itself - it's still susceptible to
"zombies" ...if they can find you. But as just one of several parallel methods
it significantly reduces the pressure. Some of the other things I do are:
configure the daemon to not allow 'root' no matter what [remote users can
always `su` when necessary]; configure the daemon to only accept public/private
keys but not passwords; change the port number to an obscure one far away, etc.)
thanks! -Chuck Kollars
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
