Hi. On Thu, 8 Dec 2016 15:37:45 +0000 Darac Marjal <mailingl...@darac.org.uk> wrote:
> On Thu, Dec 08, 2016 at 01:18:38AM +0300, Reco wrote: > >On Wed, 7 Dec 2016 15:54:46 -0500 > >Henning Follmann <hfollm...@itcfollmann.com> wrote: > > > >> On Wed, Dec 07, 2016 at 11:28:53PM +0300, Reco wrote: > >> > Hi. > >> > > >> > On Wed, 7 Dec 2016 21:14:51 +0200 > >> > Antti Talsta <atal...@nothingtosee.org> wrote: > >> > > >> > > On Wed, Dec 07, 2016 at 01:49:34PM -0500, Greg Wooledge wrote: > >> > > > >> > > > Changing the port at least decreases the number of brute force > >> > > > attacks > >> > > > against you, which saves resources (bandwidth, CPU) that are > >> > > > otherwise > >> > > > wasted by the attackers. > >> > > > >> > > How about fail2ban for that? > >> > > >> > How fail2ban can help against an army of bots trying one single > >> > password per bot? > >> > > >> That actually works well. Usually it's multiple attempts from one ip. > >> fail2ban catches exactly that. And then blacklists that ip. > > > >Probably it is so. It's been awhile since I ran publicly accessible > >sshd on port 22 with password authentication enabled. > > > >Personally I prefer a bunch of simple iptables rules to fail2ban > >though. After all, why bother running a userspace tool, if you can > >force the kernel itself to do the job? > > Could you share with the group what "simple iptables rules" you use? I > presume that iptables, by itself, can't replicate the idea of "block > after X failures in Y minutes", but presumably you're using some kind of > rate limiting, instead? Sure. It's in archives somewhere already, but: iptables -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW \ -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 8 \ --hashlimit-mode srcip --hashlimit-name ssh \ --hashlimit-htable-expire 65536 -m comment --comment "HTTPS Blocker" \ -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \ -m comment --comment "HTTPS Blocker" -j DROP Back in the day I was not that lazy for building kernel modules I used TARPIT instead of DROP. PS From the previous discussion of this very topic I was pointed that such iptables configuration is unsuitable for certain 'Modern Desktop Environment'. Therefore this iptables configuration should be used on 'understand what I'm doing' basis. Reco
