Re: use of the limiting options

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: use of the limiting options
Date: Wed, 26 Jan 2005 11:17:27 -0500	[thread overview]
Message-ID: <20050126161727.GA6583@bender.817west.com> (raw)
In-Reply-To: <Pine.LNX.4.53.0501251248340.24829@altaica>

On Tue, Jan 25, 2005 at 12:54:54PM -0600, Tib wrote:
> 
> I'd like to use the --limit and --limit-burst options to protect my sshd
> from dictionary password attacks. Considering the userbase and activity
> level I'd say that something like this would suit me just fine.
> 
> --limit 6/hour
> --limit-burst 2
> 
> This would limit it to two connect/login attempts at first, and then one
> more every 10 minutes.. correct?
> 
> Would this be the proper command to use? I'm trying to just limit
> connections from the outside world, not from the local network, hence the
> address as a destination:
> 
> iptables -A INPUT --d 66.80.174.210 --dport 22   \
>    --limit 6/hour --limit-burst 2

that's a fantastic way to DoS yourself.  so after 8 idiots try to
connect to your SSH server--you're locked out from connecting yourself
for an hour...*brilliant*.

try some real security measures instead of snake oil:

- disable password auth on your SSHD and only allow public key auth

- filter access to your SSHD by source IP, if possible

- use some sort of VPN access (IPSec/OpenVPN/etc) to get to your SSHD,
  and only allow access that way.

-j

--
"Please do not offer my god a peanut"
        --The Simpsons

next prev parent reply	other threads:[~2005-01-26 16:17 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-25 18:54 use of the limiting options Tib
2005-01-25 19:08 ` Tib
2005-01-25 19:28   ` Tib
     [not found]     ` <294d5daa0501251137328fa4ff@mail.gmail.com>
     [not found]       ` <Pine.LNX.4.53.0501251340370.24829@altaica>
2005-01-25 19:51         ` Mark Moseley
2005-01-25 19:56           ` Tib
2005-01-25 20:17             ` Mark Moseley
2005-01-25 20:22               ` Tib
2005-01-26  7:58                 ` Tib
2005-01-26 18:43                   ` Mark Moseley
2005-01-28 21:32                     ` Tib
     [not found]                     ` <7096989.1107132520756.JavaMail.rct@kale>
2005-01-31 19:00                       ` Bob Tellefson
2005-01-26 16:17 ` Jason Opperisano [this message]
2005-01-28 21:29   ` Tib
2005-01-31  3:44 ` Josh Nerius
2005-01-31  5:52   ` R. DuFresne
2005-03-02 10:33   ` forwarding internet connection elg3ne
2005-03-02 10:41     ` Essien Ita Essien
2005-03-02 12:34     ` Jörg Harmuth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050126161727.GA6583@bender.817west.com \
    --to=opie@817west.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.