Locking it down to your isp's subnet is a good idea I never thought of that
*has a static ip*
| Linode Forum https://forum.linode.com/ |
|
| Break-In Attempts https://forum.linode.com/viewtopic.php?f=19&t=7166 |
Page 2 of 2 |
| Author: | Stan 2.0 [ Sun May 29, 2011 6:52 am ] |
| Post subject: | |
obs wrote: ... of course if you don't have a static IP you're screwed.
Exactly. My IP changes way too often to rely on that. |
|
| Author: | obs [ Sun May 29, 2011 7:19 am ] |
| Post subject: | |
Another option then is to enable iptables rate limiting on your ssh port, it will at least prevent log flooding. |
|
| Author: | haus [ Sun May 29, 2011 9:49 am ] |
| Post subject: | |
Stan 2.0 wrote: haus wrote: Well, to be fair, if you took my advice and changed the port that number would be zero. I've changed my SSH port number to 1402 and still have 10-20 break-in attempts per hour. No idea how they found out which port it is. These break-in attempts are pretty useless because I only use public-key authentication. Still annoying, though. Raise it above 10000 and use CSF to stop portscans. You need to choose a port that isn't already commonly used by some service, or it will already be on the bot lists. They didn't find your port, it was dumb luck. |
|
| Author: | dbb [ Sun May 29, 2011 6:31 pm ] |
| Post subject: | |
In my setup, I have SSH listening on 22 and another port >10000. the >10000 port is publicly accessible and 22 is restricted to my ISP's subnets since I have a dynamic IP. Listening on 22 gives me the convenience to not always have to specify the port and >10000 allows me to login if I'm not at home. This is enough to get 0 break-in attempts on SSH in the 1+ year I've had this setup. Of course, I also have all the typical measures, no root logins, public key authentication only, etc. |
|
| Author: | obs [ Mon May 30, 2011 5:47 am ] |
| Post subject: | |
Locking it down to your isp's subnet is a good idea I never thought of that *has a static ip*
|
|
| Author: | haus [ Mon May 30, 2011 2:22 pm ] |
| Post subject: | |
I've always wanted to do that, but every couple of years Comcast does something crazy and I get a new IP address with a completely different IP, in a block I never knew they had. So if you can do it, great, but be careful to have a backup plan in case you get locked out. |
|
| Author: | obs [ Mon May 30, 2011 2:33 pm ] |
| Post subject: | |
haus wrote: I've always wanted to do that, but every couple of years Comcast does something crazy and I get a new IP address with a completely different IP, in a block I never knew they had. So if you can do it, great, but be careful to have a backup plan in case you get locked out.
Use LISH if you ever get locked out, if it only happens ever couple of years you could get away with it. |
|
| Author: | db3l [ Mon May 30, 2011 4:12 pm ] |
| Post subject: | |
obs wrote: Use LISH if you ever get locked out, if it only happens ever couple of years you could get away with it.
Annoyingly, my local cable provider recently changed my home address during a maintenance window, after it having essentially been static for, I think, almost 10 years. I always knew it could theoretically happen, but it had been so long I had certainly taken it for granted. My Linodes generally have very limited general access, but complete access for my home address which was an easy configuration to block all the various random attempts while not getting in my way. Of course I had the benefit of having such a static-like address. Anyway, LISH is exactly how I handled it. A quick LISH connection to each node, adjust to the new address, and keep going. -- David |
|
| Page 2 of 2 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|