[olug] Shell accounts? [OT?]

Tony Gies tony.gies at gruppe86.net
Sun Oct 1 00:10:12 CDT 2017


I run ssh on port 22, but i do portknocking entirely within iptables via
the xt_recent extension to eliminate all the bogus login attempts from
bots. I just set it up to drop connections to port 22 unless they have also
attempted to connect to some arbitrary high numbered port recently first.

On Sep 27, 2017 13:57, "Kevin" <sharpestmarble at gmail.com> wrote:

> You could also make the list shorter but much less readable and
> maintainable by taking advantage of CIDR VLSM:
> 58.0.0.0/7
> 60.0.0.0/7
> 62.0.0.0/8
> 77.0.0.0/8
> 78.0.0.0/7
> 80.0.0.0/6
> 84.0.0.0/5
> 88.0.0.0/6
> 90.0.0.0/7
> 116.0.0.0/6
> 120.0.0.0/6
> 124.0.0.0/7
> 126.0.0.0/8
> 190.0.0.0/8
> 193.0.0.0/8
> 194.0.0.0/7
> 200.0.0.0/6
> 210.0.0.0/7
> 212.0.0.0/7
> 217.0.0.0/8
> 218.0.0.0/7
> 220.0.0.0/7
> 222.0.0.0/8
>
>
> On Wed, Sep 27, 2017 at 11:26 AM, Lou Duchez <lou at paprikash.com> wrote:
>
> > In case anyone's interested, I came across this list of international IP
> > addresses some time ago; I can't confirm its accuracy or completeness,
> but
> > thus far it hasn't caused me any problems (that I know of).  In my
> > firewalls I typically block all IPs in these ranges except for email and
> > Web access; I spend so little time hiking through the Balkans, I feel
> > pretty safe blocking all SSH connections from Sarajevo.
> >
> >
> > N Filename iptables.rules
> > N Russia .ru
> > 89.0.0.0/8
> >
> > N RIPE.NET (Europe, the Middle East and parts of Central Asia)
> > 62.0.0.0/8
> > 77.0.0.0/8
> > 78.0.0.0/8
> > 79.0.0.0/8
> > 80.0.0.0/8
> > 81.0.0.0/8
> > 82.0.0.0/8
> > 83.0.0.0/8
> > 84.0.0.0/8
> > 85.0.0.0/8
> > 86.0.0.0/8
> > 87.0.0.0/8
> > 88.0.0.0/8
> > 89.0.0.0/8
> > 90.0.0.0/8
> > 91.0.0.0/8
> > 193.0.0.0/8
> > 194.0.0.0/8
> > 195.0.0.0/8
> > 212.0.0.0/8
> > 213.0.0.0/8
> > 217.0.0.0/8
> >
> > N APNIC (Asian Pacific Network Information Center)
> > 58.0.0.0/8
> > 59.0.0.0/8
> > 60.0.0.0/8
> > 61.0.0.0/8
> > 202.0.0.0/8
> > 203.0.0.0/8
> > 210.0.0.0/8
> > 211.0.0.0/8
> > 218.0.0.0/8
> > 219.0.0.0/8
> > 220.0.0.0/8
> > 221.0.0.0/8
> > 222.0.0.0/8
> > 116.0.0.0/8
> > 117.0.0.0/8
> > 118.0.0.0/8
> > 119.0.0.0/8
> > 120.0.0.0/8
> > 121.0.0.0/8
> > 122.0.0.0/8
> > 123.0.0.0/8
> > 124.0.0.0/8
> > 125.0.0.0/8
> > 126.0.0.0/8
> >
> > N End APNIC Addresses
> >
> > N LACNIC (Latin American and Caribbean Network Information Center)
> > 189.0.0.0/8
> > 190.0.0.0/8
> > 200.0.0.0/8
> > 201.0.0.0/8
> > N End LACNIC
> >
> > N Add .EU here?
> > N duesentrieb.kunst.uni-frankfurt.de
> > 141.0.0.0/8
> > N end .EU
> >
> > 88.0.0.0/8
> > 85.0.0.0/8
> >
> >
> >
> > ipset to efficiently and easily whitelist / blacklist large sets of IP
> >> addresses such as from an entire country.
> >>
> >>
> >> On Tue, Sep 26, 2017 at 11:26 PM, aric at omahax.com <aric at omahax.com>
> >> wrote:
> >>
> >> Thanks, that is a cool feature of iptables that I didn't know about.
> When
> >>> I first read the port knocking suggestion on this thread I thought
> about
> >>> the Dr. Strangelove doomsday machine.  You could trigger events from a
> >>> port
> >>> knock.  ....and then this Rick and Morty scene
> >>> https://youtu.be/a69kN7gyE70
> >>> There several ways to block SSH attempts.  I use pfSense to forward a
> non
> >>> standard port, ban the IP after 5 failed attempts and ban IPs that port
> >>> scan.  The iptables way you suggested looks to be the simplest.
> >>> ------ Original message------From: Christopher CashellDate: Tue, Sep
> 26,
> >>> 2017 10:53 PMTo: Omaha Linux User Group;Cc: Subject:Re: [olug] Shell
> >>> accounts? [OT?]
> >>> On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth  wrote:
> >>>
> >>> The biggest bummer, nostalgia aside, is SSH access.  In order to keep
> the
> >>>> log file noise to a minimum, my home firewall restricts which IP
> blocks
> >>>>
> >>> are
> >>>
> >>>> allowed to SSH into my home computer.  On the rare occasion when I
> need
> >>>>
> >>> to
> >>>
> >>>> SSH in from an unapproved network, I was always able to SSH into
> falcon
> >>>> first, then jump from there to my home machine.  That route is no
> longer
> >>>>
> >>> an
> >>>
> >>>> option, so I'll probably have to open up the firewall again.  Or
> maybe I
> >>>> can just paint with a bigger brush & block foreign IP's using that
> list
> >>>> that somebody posted recently.
> >>>>
> >>>> Someone mentioned port-knocking, which can be a handy solution for
> this.
> >>> Another option that can significantly reduce the log noise is to use
> >>> iptables to minimize or prevent brute-force SSH attacks.
> >>>
> >>> Replace the iptables rule on your box that is allowing TCP port 22 with
> >>> the
> >>> following:
> >>>
> >>> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
> >>> hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min
> >>> --hashlimit-burst 4
> >>> --hashlimit-name ssh -j ACCEPT
> >>>
> >>> That will limit new TCP connection attempts to a rate of 1 per minute,
> >>> with
> >>> a burst of 4 allowed per source IP.  Basically, anyone who makes
> repeated
> >>> ssh attempts to quickly will automatically have their connection
> attempts
> >>> dropped.  The most attempts they make, the longer they get blocked.
> The
> >>> best thing about it is that it requires no maintenance or external
> >>> applications (like fail2ban), and is very "fire and forget" for low
> >>> connection rate protocols like SSH.
> >>>
> >>> One other handy option, you can keep SSH blocked from the outside, and
> >>> use
> >>> something like OpenVPN to connect remotely.  Then, after establishing a
> >>> VPN
> >>> session to your computer externally, you can SSH across the VPN to not
> >>> expose SSH publicly.  This can also give you some additional access
> >>> benefits to your system.
> >>>
> >>> For the ultimate in remote shell flexibility, I'll echo another
> >>> suggestion
> >>> that was thrown out, too: Linode.  I've been using Linode.com for 10
> >>> years
> >>> now, and I can't recommend them enough.  They're Virtual Private Server
> >>> (VPS) hosting by geeks/engineers for geeks/engineers.
> >>>
> >>> --
> >>>
> >>>> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com
> >>>> www.Jedi.com
> >>>>
> >>>
> >>>
> >>> --
> >>> Christopher
> >>> _______________________________________________
> >>> OLUG mailing list
> >>> OLUG at olug.org
> >>> https://www.olug.org/mailman/listinfo/olug
> >>> _______________________________________________
> >>> OLUG mailing list
> >>> OLUG at olug.org
> >>> https://www.olug.org/mailman/listinfo/olug
> >>>
> >>> _______________________________________________
> >> OLUG mailing list
> >> OLUG at olug.org
> >> https://www.olug.org/mailman/listinfo/olug
> >>
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://www.olug.org/mailman/listinfo/olug
> >
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
>


More information about the OLUG mailing list