Well, I tried using some of the 200 ports, but those seemed to time out after a while too (not sure why).

So now I'm using the script mikegrb typed up, and it seems to be working, sort of.

Since I have to use PPPoE, I commented out the "iptables -A SSH_WHITELIST..." line. My understanding from the script is that it will allow 3 connections within a 60 second period, but it seems to only be allowing 1. Is there something that needs to be changed in the code above to allow up to 3 connections?

Also, is it safe to edit the 60 second thing? I am the only person who SSH's into my box, so wondering if it is OK if I extend the time frame to something longer, like 120 seconds or 300 seconds for even more added protection.

Thanks,
-Kevin

In addition to the above postings, you can also use /etc/hosts.allow and hosts.deny files for ssh.

What I have done in the past is allow .edu, .net, .org, .com. While this may still be considered "wide-open", it does block a lot of countries. Chances are, your legit users should be coming from one of the above anyways.

Now, I just use an IP address list since I only have a small number of users.

-John

Under Fedora the system will save the current table state at shutdown and reload it at bootup if you modify the config values in /etc/sysconfig/iptables-config

You can force a save of the current tables (in case teh server hangs) by /etc/init.d/iptables save

I dunno if the other Linux distro's do similar.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

I changed ULOG to LOG, but I would like to limit the logging to a few per minute. I tried using -m limit --limit 2/minute, but it failed. Does the Linode kernel not have support for the limit module?

I just noticed something when I rebuilt my system using Debian Sarge instead of Woody: if you want to disable password authentication (for public-key-only authentication), you need both PasswordAuthentication no and ChallengeResponseAuthentication no.

_________________
Bus error (passengers dumped)

After continuing to see this thread dominate the top 10 threads, I decided to study up on implementing SSH keys for authentication. I generated keys for my freebsd box to access my linode, had success, and saw how simple it was to set up. I now have every single unix machine (5 machines) using SSH keys to authenticate to my linode. I'll eventually do the same thing with my linode, so it can run jobs and communicate with my unix boxes at home.

I'll eventually use iptables also, but this is solid enough (using a 512bit key) and SSH is the ONLY port open.

security through obscurity

Another precaution you can take is deny root login itself. This can be done by setting
PermitRootLogin to no in /etc/ssh/sshd_conf
And then using some arbitrary user to login to your linode for which you give very limited rights or none. The username for this user can be (ic87pz19fd for example) as cryptic as one of your password. Then su using this login.[/b]

I use skey only logins (so anyone connecting without a valid skey is just disconnected, without the chance to enter anything).

The iptables 'recent' module doesn't seem to be on my system.

iptables v1.2.11: Couldn't load match `recent':/lib/iptables/libipt_recent.so: cannot open shared object file: No such file or directory

Yes, I know, I thought I was clear about that. :)

_________________
----
Ed/Bones.

CONFIG_IP_NF_MATCH_RECENT is set in both the Latest 2.4 and 2.6 kernels, and has been for quite some time now. This is a user-space problem.

-Chris

My bad. I re-emerged the iptables package and it worked. Not sure what the deal was, though, because it was supposedly the same ebuild.

I added the "recent" feature to my iptables on my home computer the other day, and the number of these attempts dropped dramatically. Basically, only the first attempt will show in my logs, because the rest are dropped.

I use the iptables-save command to save the config to a file and then use iptables-restore to load it on startup.

so...

iptables-save > /etc/myiptables.conf

then...

iptables-restore /etc/myiptables.conf

When compiling iptables, I had to add "recent" to the list of extensions to be made near the top of extensions/Makefile in the source tree.

hth

Nice script Mike. Unfortunately it only works if your INPUT chain policy is set to ACCEPT (mine is on DROP).