[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Great IP Auto-Ban script
> However I was told that ssh has no restriction of this type.
Nor does it need one, iptables does what you want. You can even set it to
drop the IPs after 'n' number of minutes, hours, days, weeks or whatever.
For me, I just block port 22 from everywhere, and allow it from IPs I know
and trust, including one public machine out on the net for when I travel.
My LAN is pretty high visibility, so I try to lock things down as much as
When I'm in $RANDOM_HOTEL on travel, I just ssh into this external public
machine from the hotel LAN, check my connected IP is, ssh from the public
machine (which I trust) into my own LAN and open port 22 for the hotel's
/24. From there, I can then ssh directly from the hotel to my LAN without
When I'm done, I pull the iptables rule that opens the hotel's network and
its all locked down again. Simple and clean.
sshhosts="127.0.0.1 10.0.1.0/24 220.127.116.11"; # and so on
for sshhost in $sshhosts; do
iptables -A INPUT -j ACCEPT -p tcp -s $sshhost --dport 22
iptables -A INPUT -j DROP -p tcp --dport 22
Much safer than allowing 'n' number of attempts before blocking, because
someone COULD get it right on the first try for people who don't choose
complicated passwords (which is what these brute force ssh attackers do,
for the most part).
Another option is just to set up public keys and forget the whole password
One last option is just to use port knocking:
David A. Desrosiers
Linux on Power Developer Program Manager
To unsubscribe, send email to firstname.lastname@example.org with
"unsubscribe luci-discuss" in the body.