[olug] Shell accounts? [OT?]
Rob Townley
rob.townley at gmail.com
Wed Sep 27 10:58:20 CDT 2017
ipset to efficiently and easily whitelist / blacklist large sets of IP
addresses such as from an entire country.
On Tue, Sep 26, 2017 at 11:26 PM, aric at omahax.com <aric at omahax.com> wrote:
> Thanks, that is a cool feature of iptables that I didn't know about. When
> I first read the port knocking suggestion on this thread I thought about
> the Dr. Strangelove doomsday machine. You could trigger events from a port
> knock. ....and then this Rick and Morty scene
> https://youtu.be/a69kN7gyE70
> There several ways to block SSH attempts. I use pfSense to forward a non
> standard port, ban the IP after 5 failed attempts and ban IPs that port
> scan. The iptables way you suggested looks to be the simplest.
> ------ Original message------From: Christopher CashellDate: Tue, Sep 26,
> 2017 10:53 PMTo: Omaha Linux User Group;Cc: Subject:Re: [olug] Shell
> accounts? [OT?]
> On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth wrote:
>
> > The biggest bummer, nostalgia aside, is SSH access. In order to keep the
> > log file noise to a minimum, my home firewall restricts which IP blocks
> are
> > allowed to SSH into my home computer. On the rare occasion when I need
> to
> > SSH in from an unapproved network, I was always able to SSH into falcon
> > first, then jump from there to my home machine. That route is no longer
> an
> > option, so I'll probably have to open up the firewall again. Or maybe I
> > can just paint with a bigger brush & block foreign IP's using that list
> > that somebody posted recently.
> >
>
> Someone mentioned port-knocking, which can be a handy solution for this.
> Another option that can significantly reduce the log noise is to use
> iptables to minimize or prevent brute-force SSH attacks.
>
> Replace the iptables rule on your box that is allowing TCP port 22 with the
> following:
>
> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
> hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min --hashlimit-burst 4
> --hashlimit-name ssh -j ACCEPT
>
> That will limit new TCP connection attempts to a rate of 1 per minute, with
> a burst of 4 allowed per source IP. Basically, anyone who makes repeated
> ssh attempts to quickly will automatically have their connection attempts
> dropped. The most attempts they make, the longer they get blocked. The
> best thing about it is that it requires no maintenance or external
> applications (like fail2ban), and is very "fire and forget" for low
> connection rate protocols like SSH.
>
> One other handy option, you can keep SSH blocked from the outside, and use
> something like OpenVPN to connect remotely. Then, after establishing a VPN
> session to your computer externally, you can SSH across the VPN to not
> expose SSH publicly. This can also give you some additional access
> benefits to your system.
>
> For the ultimate in remote shell flexibility, I'll echo another suggestion
> that was thrown out, too: Linode. I've been using Linode.com for 10 years
> now, and I can't recommend them enough. They're Virtual Private Server
> (VPS) hosting by geeks/engineers for geeks/engineers.
>
> --
> > *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com
> > www.Jedi.com
>
>
>
> --
> Christopher
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
>
More information about the OLUG
mailing list