[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Chinese Action

I've been seeing a marked increase in sshd attacks from China, on my home 
system even.

You might all want to take a look at your /var/log/auth.log or 
/var/log/secure and see what kind of action y'all are getting.

The common one seems to be root that they try for, so make sure you have 
PermitRootLogin set to no. Other faves are git, admin and other common 
system ids. As I have a very static number of users on my system, I used 
AllowedUsers in my sshd_config to further lock it down.

And if you like SSH'ing to root for some reason, you can restrict it by 
IP, like so:

Match Address 10.*
     PermitRootLogin yes

finally I picked up this little iptables snippet online, for those of you 
who haven't moved to firewalld yet, for really clamping down on failed 

iptables -A INPUT -p tcp -m tcp --dport 22 -m state \
   --state NEW -m hashlimit --hashlimit 1/hour \
   --hashlimit-burst 2 --hashlimit-mode srcip \
   --hashlimit-name SSH --hashlimit-htable-expire 60000 \
   -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 22 \
   --tcp-flags SYN,RST,ACK SYN -j DROP

iptables -A INPUT -p tcp -m state \
   --state NEW -m tcp --dport 22 -j ACCEPT


To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.