iptables +block country
incoming-ubuntu at rjl.com
Mon Aug 16 19:04:21 UTC 2010
Markus Schönhaber wrote:
> 16.08.2010 10:57, Harry Strongburg:
>> But yeah, fail2ban and using a high port for anything with
>> authentication has lowered attacking bots to less than one per year. The
>> one or two it catches per year appeared to have been manually started,
>> not a normal port-22 scan. The one to two that comes in, fail2ban grabs
>> and bans them for however long I want! >:) As long as your password is
> Yep, that's similar to what I do:
> - wherever possible, I don't allow password-based authentication for ssh
> at all. This is for security.
> - I move the ssh port way up. This is to mute the noise.
I would look at http://www.cipherdyne.org/fwknop/
With fwknop, you completely block your services. Then when you remotely
authenticate to fwknopd, it adds iptables rules to open up the ports
that you request access to, only from your ip address. fwknopd uses
promiscuous mode to sniff the network for udp authentication packets, so
a remote attacker has no idea that it is running since there is no
listener. Remote users simply don't see the services that are blocked.
The fwknop client uses gpg keys for authentication, so if you set your
keyrings and timeouts up correctly, you won't have to keep typing a
password to reauthenticate. Newer versions, I believe, will support
enabliing keeping the ports open as long as you have an open connection.
This works well in cases where the users are willing to run the
authentication client. Obviously, it won't work for a public resources
or could be too inconvenient for inexperienced users that don't want to
deal with an authentication client. I have been running fwknop for
several years and have found it to be quite solid and reliable.
More information about the ubuntu-users