Am 24.10.2011 18:12, schrieb Tim:
> On Sun, 2011-10-23 at 12:12 +0200, Reindl Harald wrote:
>> put sshd on port 10022 and all is well
>>  
>> this has the additional benefit to get rid of the most
>> idiots trying password-attacks all day long
>
> Though it won't stop the more determined ones.  Like those who scan for
> all open ports, and then look at what responses they get to determine
> what sort of server is listening.
>
> If you have a (potentially) vulnerable server exposed, using something
> like fail2ban (if I remembered the name correctly) can be a good idea.
> It allows a limited number of attempts from an IP, then temporarily
> blacklists that IP.  A hacker would have to have tremendous luck to
> guess a password in only two attempts, for instance.

i know this all but it is not in standard-nmap and so
you have not the whole day the logfiles full and the
overhead for non-standard-port is practically non-existent

NOBODY should allow password-login on sshd, never and we do not

additionally:
iptables -A INPUT -p tcp --sport 1024:65535 -m state --syn --state NEW --dport YOURPORT -m limit --limit 60/minute
--limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m state --syn --state NEW --dport YOURPORT -j REJECT
___________

for portscans allow only 120 connections from the same ip per second
makes it really hard do a full port-scan because it longs forever and
aditionally webservers are proctected against a single dos-attack

try it with "ab -c 20 -n 100000 http://yourhost/" and you will see htop
shortly with 100% cpu and falling down to normal values in waves

iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 120 -j DROP
___________

as you see security is never one setting and it is done and obscurity as
additional prevention is good and no overhead if someone knows to handle
his machines