23 May
2017
23 May
'17
10:25 a.m.
I'm just curious why you are against firewalling your hosts. If you don't
want someone connecting to your device over SSH, just setup a rule that
blocks it at the router level and be done with it. On my router, I only
allow SSH from a couple known hosts (my work subnets as an example). When
I opened up my firewall to allow SSH to itself, I got over 66,000 ssh login
attempts within a few hours.
Thanks
Craig
On Tue, May 23, 2017 at 8:14 AM, SP2L <SP2L(a)wp.pl> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Hello Lynwood et al.
Amongst many other iptables rules I use the following:
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask
255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255
--rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask
255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask
255.255.255.255 --rsource -j DROP
...
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask
255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask
255.255.255.255 --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask
255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask
255.255.255.255 --rsource -j DROP
Above rules together with fail2ban effectively block/unblock
portscan attempts for predefined period of time, here 86400 seconds.
Best regards.
Tom - SP2L
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net