Re: Block ssh login prompt for *.kr *.jp etc.
From: Sheldon T. Hall (obviously.fake_at_example.com)
Date: 10/04/04
- Previous message: all mail refused: "Re: Block ssh login prompt for *.kr *.jp etc."
- In reply to: Kim: "Re: Block ssh login prompt for *.kr *.jp etc."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 04 Oct 2004 10:21:45 -0700
On 3 Oct 2004 11:08:33 -0700, kimspiracy@yahoo.com (Kim) wrote:
>Do any of these solutions result in my machine *completely ignoring*
>login attempts from *.kr addresses? As I said, I do not even want them
>to be PROMPTED for a login. My machine should be completely invisible
>to them.
>
>If so, would you mind being a little more specific about what I need
>to do? I am running OpenSSH_3.5p1 on a Red Hat 9.0 machine behind a
>Linksys router.
You probably want your whole machine to be invisible, not just the SSH
port.
1. Block as much as you can at the router. Only pass to your
internal machines requests for services they can provide securely. On
my network, that's only 4 ports: ssh, pop3, smtp, and http. All the
rest stops at the router.
2. Configure SSHD to allow only specified users (see sshd_conf).
3. Run iptables, ipfilter, or a similar packet-level filter, and
either (a) block everything except known sources of desirable traffic
or (b) block all known sources of hostile traffic. Do this by IP
address, not by host name. Host names can be spoofed, and many
net-hostile areas have bogus or non-existend reverse DNS.
4. Consider running SSH on a non-standard port.
You can get lists of net-hostile IP addresses from blackholes.us and
other sources.
-Shel
- Previous message: all mail refused: "Re: Block ssh login prompt for *.kr *.jp etc."
- In reply to: Kim: "Re: Block ssh login prompt for *.kr *.jp etc."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
