[PLUG] SSH Log Entry Question
Roderick A. Anderson
raanders at acm.org
Thu Apr 7 16:41:07 UTC 2005
On Wed, 6 Apr 2005, Ronald Chmara wrote:
> Without getting too technical:
You could have , but this is still great! I thought this was how it was
happening. All the -m's were a bit confusing.
Can I add before ( or after ) this line rules to allow specific IPs or
ranges?
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m
> recent --rcheck --name SSH -j ACCEPT
> # If it's a recently used and *accepted* IP address from the third rule
> # below (say, me connecting in from a dialup DHCP account on
> # whatever network I happen to be using), accept future incoming
> # SSH traffic from that newly accepted address.
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1599
> -m recent --name SSH --remove -j DROP
> # If somebody hits this port on a port scan, lock out SSH access
> # from their IP.
This is neat. Anyway to do this for "all" high range ports. I'm seeing a
bunch of attempts at ports above 30000 doing ssh2.
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1600
> -m recent --name SSH --set -j DROP
> # If somebody connects to this port, allow whatever IP that
> # *tried* to connect to later connect to port 22 (ssh).
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1601
> -m recent --name SSH --remove -j DROP
> # If somebody hits this port on a port scan, lock out SSH from their IP.
> # The second and fourth rules exist to prevent somebody from
> # "unlocking" ssh by merely running a port scan before trying to
> connect.
Coming from the top or the bottom of the port range?
Again thanks for the very neat trick.
Rod
--
"Open Source Software - You usually get more than you pay for..."
"Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL"
More information about the PLUG
mailing list