[Tfug] Stopping repeated login attempts

Louis Taber ltaber at gmail.com
Wed Jan 27 21:32:02 MST 2010


Port 2222 was just easy for the NAT entry screen on my LinkSys router.  The
22 was already in the field, I just added another 22.  No imagination at all
<sigh>.  The next set of attempts came from a different IP address, also in
China.  I was surprised that someone else found the new port so quickly.

This is on my larger home system.  It has the only entry in my router NAT
table.  It is only for ssh.  In addition to my account, there are perhaps 3
other dormant accounts which I expect have MUCH less secure passwords than I
use.  These could be disabled.

I know of no connection from my web server (currently hosted in California)
and my home system that is available to the public.  My web server is hosted
by DreamHost.

I only make incoming connections on VERY rare occasion.  Since I retired
from Pima, I don't think I have used it at all.   I do have a DyDNS entry.
One possible pointer to my home system.

Does anyone know how well IPTables handles the long list of China's IP
addresses?  It might be a simple solution as long as I 1) don't travel to
China, 2) Leave my system on while I am gone, and 3) want to access it while
I am there.  (AND assume all the bad guys live in China.)  When I am away
from home for more than a week, I will usually power the computer off.


> Oh I totally agree with you. And if you get all the botnet burglar buddies
> involved it really starts to cut down on the time it takes to get stuff
> done. Not trying to offend anyone, Louis I think you were my first Unix
> instructor at Pima, but why choose port 2222? To me that is probably the
> next port I would test if 22 didn't work. Kind of like port 80 and port
> 8080. I don't think anybody here was suggesting that by moving from port
> from 22 to some random port was the end all be all solution. But from my
> experience moving sshd off of port 22 to a random port cut down on attempts
> to next to nothing. Then totally removing password login, ssh keys, was the
> next layer. Only allowing access to those ssh keys by certain IPs  with the
> from= was next. There is limiting important boxes sshd access to only one or
> two other boxes on the net via firewall or similar. I mean the list goes on
> and on each of them with their own pros and cons. And without really know
> what his network setup and requirements are. I think it can be a challenge
> question to answer.
>
> -Brandon
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20100127/738afc9e/attachment-0002.html>


More information about the tfug mailing list