Re: Limit the number of erroneous logins of root from the same IP



On 2011-11-15, Moe Trin <ibuprofin@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Tue, 15 Nov 2011, in the Usenet newsgroup alt.os.linux.redhat, in article
<j9sfne$or$1@xxxxxxxxxxxxxxxxxx>, dold@xxxxxxxxxxxxxxxx wrote:

unruh <unruh@xxxxxxxxxx> wrote:

/etc/hosts.allow
eg
sshd:111.222.333.444 222.333.444.111 ....:deny
to deny any ssh login from those IP addresses

What happens when you try to connect from one of those addresses?
Does it come back quickly as "connection refused", or timeout as if the
server didn't exist?

The three-way handshake is completed, and then you get a "connection
refused".

The iptables looks the same trying to connect to my server as it does
trying to connect to a non-existent server, which I think is handy.

The router upstream returns a ICMP Type 3 Code 1 ("Host unreachable")?
No, I suspect you have the system to return "nothing", which Steve
Gibson (of GRC.com) claims makes you invisible. The fact that the
upstream router DOESN'T return a "Host unreachable" means that it can
talk to the destination.

if /etc/hosts.allow works at the same level of obscurity, it does
look easier to administer, and I might switch to that.

No, if you're trying to pretend you don't exist, you need to use the
firewall with the "DROP" rules. It is easier to admin, but it lacks
a lot of features that the firewall has. Additionally, it only works
with daemons that are able to use 'tcp_wrappers' or 'libwrap', and
does not protect unopened ports as the firewall can.

Agreed. Although what "protecting unopened ports" means is a bit obscure
since an unopened port has nothing listening and thus cannot be used to
do anything to you. Your machine will simply ignore any packet with that
port.
ssh uses tcpwrappers. And I do hope that you are using ssh and not
telnet or rsh on your machine.

Old guy
.