Re: Controlling port blocking with web interface
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Tue, 17 Jan 2006 18:52:00 -0600
On 16 Jan 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<1137427664.506607.278840@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, Nathan Funk wrote:
>I get many malicious login attempts to my ssh server every day. They
>show up in my logs and annoy me. I know I could turn off the logging
>and just ensure that my passwords are not in a dictionary.
Not just "not in a dictionary" but also mixed case, and contains one
or more numbers and punctuation. However another good idea is a
non-standard username (used to be, we'd use 'firstname,last_initial' or
first_initial,last_name, or similar for usernames, and use a random
number generator to get an initial password - now, it's head -2 /dev/random
piped into mimencode to get username _AND_ password). There's no reason
for the username to be something obvious (and unsafe) like 'root'.
>When I travel I would like to allow specific IPs without knowing them
>in advance. The best solution I could think of so far is to control
>everything through the web server on the same machine. I should be able
>to go to a specific page, enter the IP address I want to allow and then
>be able to log in via ssh.
Wowser, you're jumping out of the frying pan right into the fire. Web
pages are REALLY not secure.
>Is there any software out there that can accomplish what I'm looking
>for? Is there maybe even a better solution?
1. Don't run your SSHD on the "standard" port (22), but move it off into
the unexplored boonies - pick a number between 1 and 65535 - ANYTHING other
than the obvious ones (and that includes such l33t skript kiddiez numbers
like 12345, 54321, 7337, 55555, and so on). Avoid "normal" ports - more and
more ISPs are blocking port 25 to reduce zombie spam. Recall than many scan
tools like nmap default to looking at ports 1-1024 - so they're less than
desirable.
2. Port knocking. You have to (try to) connect to some specific closed
port on your server, which then causes another port to open for a period.
There was a recent thread on one of the Linux newsgroups, complete with
example firewall rules to accomplish this, but a quick google search fails
to turn it up. This works best in combination with "non-standard" ports. Try
http://www.portknocking.org/, http://www.linuxjournal.com/article/6811, and
http://www.tummy.com/journals/entries/jafo_20050716_152920 for further hints.
3. Blanket firewall rules - to close access from ranges that you are not
likely to need. Everyone picks on Asia and Central/South America as being
places to block, well - here are a couple ranges that might be an example:
58.0.0.0/7, 60.0.0.0/7, 120.0.0.0/5, 189.0.0.0/8, 190.0.0.0/8, 200.0.0.0/6,
210.0.0.0/7, 218.0.0.0/7, 220.0.0.0/6. What's that, nine rules? It
will result in blocking a lot of APNIC and LACNIC (but let me stress this,
NOT ALL). Six more similar sized rules, and you can piss off a lot of people
in Europe. Collateral damage? Wazzat? See
http://www.iana.org/assignments/ipv4-address-space for guesses at this scale
of block.
Old guy
.
- Follow-Ups:
- Re: Controlling port blocking with web interface
- From: Grant
- Re: Controlling port blocking with web interface
- References:
- Controlling port blocking with web interface
- From: Nathan Funk
- Controlling port blocking with web interface
- Prev by Date: Re: Drivers for Belkin F5D7010 wifi card
- Next by Date: Re: telnet delays
- Previous by thread: Controlling port blocking with web interface
- Next by thread: Re: Controlling port blocking with web interface
- Index(es):
Relevant Pages
|
