23 May
2017
23 May
'17
7:16 a.m.
Alternate SSH ports are a good plan. Internally we use pubkey ssh mostly,
so flubbed passwords are much less common, but we have so many legitimate
'guest' users that password-enabled logins are still needed.
FreeBSD doesn't have 'iptables', that's mostly a Linux thing. It has
'ipfw', which I'm getting pretty good at. :-)
- Brian
On Tue, May 23, 2017 at 07:08:08AM -0400, lleachii--- via 44Net wrote:
After I researched some of the options in the past
(all of which required
installation of more software), I decided on an iptables entries that 'flag'
and DROP the IP for 5 minutes after 5 connection attempts.
This also covers scanning of the port if it takes more than 5 tries to
determine it's SSH. Configuring SSH or your port forward to connect to the
SSH on a non standard port reduced my scan attempts to 0%. Be careful that
you type your password correctly from now on...you only get 5
attempts...lol.
- Lynwood
KB3VWG