sshd config problem.

Bill McGonigle bill at bfccomputing.com
Mon Sep 3 15:22:31 EDT 2007


On Sep 3, 2007, at 00:33, Steven W. Orr wrote:

> I had previously
> modified my listening port from 22 to something with a couple of extra
> digits for the kiddys.

I might have mentioned this before, but I find iptables and knocking  
more effective and less confusing (to me) than changing the port  
number for ssh.  e.g.:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 - 
m recent --rcheck --name SSH -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport  
1233 -m recent --name SSH --remove -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport  
1234 -m recent --name SSH --set -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport  
1235 -m recent --name SSH --remove -j DROP

To use, just connect to port 1234 from the originating IP before  
trying to make the ssh connection.  Sequential port scanners probably  
won't find it, random port scanners have a fleeting chance of finding  
it, and of course, a purpose-built scanner could.  So use publickey  
auth or better too.

Practically speaking, I don't see kiddie scripts cluttering my logs  
anymore.  You could do different things on different interfaces in  
iptables pretty easily if needed.

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf





More information about the gnhlug-discuss mailing list