[PLUG] iptables redux
Rich Shepard
rshepard at appl-ecosys.com
Tue Aug 17 15:11:02 UTC 2004
On Tue, 17 Aug 2004, Roderick A. Anderson wrote:
> Do deny/drop/reject rules come before or after the accept rules.
Rod,
My understanding -- and the way I'm set up here -- is that deny is the
default and is listed first. Then I accept me as a legitimate ssh user:
#
# Policy for chains DROP everything
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# SSH:
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to ${SERVER_IP}:22
iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT
I let /etc/sshd.conf handle who's allowed in.
> Short story. I'm still getting the script kiddies pounding at my sshd
> port and the sshd_config setting still lets them try to log in but never
> validates them.
Glad you mentioned this. I've noticed that the past few weeks has brought
a flood of attempts for "user", "test", "guest" and selected other usernames
via ssh2. Almost all from Japan and Korea. I wondered if others were seeing
the same flood.
It used to be that attempts to crack the system were sporatic and
infrequent. Now they occur almost every day and the same IP address may try
a dozen times or more before giving up and going off to play elsewhere.
Harmless, but still not my preference to see in my daily log summaries.
Rich
--
Dr. Richard B. Shepard, President
Applied Ecosystem Services, Inc. (TM)
<http://www.appl-ecosys.com>
More information about the PLUG
mailing list