[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server
Alberto Bursi
bobafetthotmail at gmail.com
Wed Feb 14 13:51:10 PST 2018
On 02/14/2018 10:36 PM, David Woodhouse wrote:
> On Wed, 2018-02-14 at 12:34 -0700, Philip Prindeville wrote:
>> Once I was messing with firewall settings and accidentally disabled
>> the firewall. Within a few minutes, there were all sorts of password
>> attacks on the WAN port. Having a sufficiently complex password
>> slowed things down long enough for me to re-secure the box.
> Pfft. If you had a half-decent password, the box was always secure.
>
> If you really care, perhaps roll something like this (which I have in
> my /etc/firewall.user) into the default configuration:
>
> for PROTO in iptables ip6tables ; do
> for TABLE in forwarding_rule input_rule; do
> $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --rcheck --hitcount 4 --seconds 60 -j LOG --log-prefix "SSH_BRUTE "
> $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --update --hitcount 4 --seconds 60 -j REJECT --reject-with tcp-reset
> $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --set -j RETURN
> done
> done
>
> You have the same "problem" with external access via HTTPS, surely? Are
> you planning to ban password access to that too?
>
Just change the WAN ssh port number to something in the dynamic port
range, pretty much 0 bots scan beyond the few well-known ports range,
and you save CPU resources too.
-Alberto
More information about the Lede-dev
mailing list