Brute-Force SSH Server Attacks Surge -- InformationWeek
Bill McGonigle
bill at bfccomputing.com
Fri May 16 16:02:45 EDT 2008
On May 16, 2008, at 09:56, Tom Buskey wrote:
> Harder:
> port knocking
If you can live with simple port knocking, it's just this hard:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
22 -m recent --rcheck --name SSH -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
1775 -m recent --name SSH --remove -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
1776 -m recent --name SSH --set -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
1777 -m recent --name SSH --remove -j DROP
Lines 2 and 4 are unnecessary if you're not concerned with sequential
port scanners.
Then just setup your remote access device (e.g. a palm with pssh in
my last non-scriptable case) with two profiles, one for 1776 and one
for 22 that you execute in series.
In the scriptable case (e.g. n810):
~/bin/sshlib:
#!/bin/sh
/usr/bin/nc -w 1 liberty.gnhlug.org 1776
/usr/bin/ssh -c blowfish -X -C liberty.gnhlug.org
Heck, it wouldn't surprise me if ssh could pre-launch a script on a
per-machine config with a variable such that one could genericize the
above.
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the gnhlug-discuss
mailing list