I'm just curious why you are against firewalling your hosts. If you don't want someone connecting to your device over SSH, just setup a rule that blocks it at the router level and be done with it. On my router, I only allow SSH from a couple known hosts (my work subnets as an example). When I opened up my firewall to allow SSH to itself, I got over 66,000 ssh login attempts within a few hours.
Thanks
Craig
On Tue, May 23, 2017 at 8:14 AM, SP2L SP2L@wp.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hello Lynwood et al.
Amongst many other iptables rules I use the following:
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP -A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource -A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:" -A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
...
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP -A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource -A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:" -A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
Above rules together with fail2ban effectively block/unblock portscan attempts for predefined period of time, here 86400 seconds.
Best regards. Tom - SP2L
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net