[NTLUG:Discuss] IP Ranges to block

Rev. wRy slot0k at pogox.org
Mon Jan 26 15:09:05 CST 2009


On Mon, 2009-01-26 at 14:50 -0600, Rodney Loos wrote:

> I don't know if it is practical for you depending on where you need SSH
> access from, but I took the approach of adding a separate firewall rule
> prior to accepting incoming SSH attempts -- I add networks I know I might
> connect from (home, work, sprint phone, family members' home ip range etc)
> and if the incoming IP is NOT from that range, just DROP it.  It takes a
> little work keeping up with changing IP assignments, but it has sure helped
> preventing all those login-attempts from hackers.

Or do it real time with portsentry and have ssh listen on a non-standard
port, such as 22222.  They try to connect to ssh, and portsentry
automagically adds them to hosts.deny and iptables.

R




More information about the Discuss mailing list