matchlimit

Georgi Alexandrov tehlists at hotpop.com
Wed Apr 20 13:46:40 CEST 2005


Brent Clark wrote:

> Hi all
>
> What would be the recommended the rule for matchlimit FROM a specfic
> ipaddess.
>
> Last night I found that I was a victim of a dictionary brute force 
> attack.
>
> From what I gather I can see that no access was granted.
>
> If anyone has any tip, advice, etc it would be most appreciated.
>
> Kind Regards
> Brent Clark
>
> ====================================================================
> Copy and paste below from logwatch
> ====================================================================
>
>    --------------------- SSHD Begin ------------------------
> Failed logins from these:
>      Ionutz/password from 80.84.248.224: 1 Time(s)
>      Melk/password from 80.84.248.224: 1 Time(s)
>      aaron/password from 80.84.248.224: 1 Time(s)
>     

*snip*

> Illegal user portmap from 80.84.248.224
> Illegal user x from 80.84.248.224
> Illegal user jas from 80.84.248.224
>    ---------------------- SSHD End -------------------------
>    ###################### LogWatch End #########################
>
>

This will be kind of pointless too (baning ip addresses after they have 
attacked you) ... like having an umbrella but after the rain has stopped.
The better solution (my opinion) will be to secure your sshd to the 
highest level possible.
tips:
keep it up to date,
use strong passwords (long, containing numbers, special characters, up 
and lower case),
change the default port sshd listens to,
allow only ssh version 2,
disable password authentication at all and use pub/priv keys if possible,
allow only specific users and/or groups if possible,
disable root logins,
and finally, if possible (i don't like this option but someone may find 
it useful) - allow connections to the sshd port only from trusted/known 
ip addresses.

Everything written above is just my point of view and is concerning openssh.

regards,
Georgi Alexandrov



More information about the netfilter mailing list