<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">I just auto blacklist drive-by’s. Lemme dig in my server… <div><br></div><div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">#</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;"># Rate limit ssh connections</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">#</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">/sbin/iptables -N LOGDROP</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">/sbin/iptables -A LOGDROP -j LOG</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">/sbin/iptables -A LOGDROP -j DROP</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;">iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j LOGDROP</div><div><br></div><div><br></div><div><div>On 20Feb, 2014, at 12:12, Ken Causey <<a href="mailto:ken@kencausey.com">ken@kencausey.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.<br><br>On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.<br><br>Now I'm not saying this is any serious problem. And I don't get these sorts of log reports on the Squeak servers currently, so this is not addressing any noise I'm dealing with. But I'm sure all of the Squeak servers are being hit with connection attempts constantly, probably more than the other server I deal with since it is in no way public. At some point there is a tiny possibility that one of the connection attempts will properly guess both a username and a password (and shame on that person for using such a simple password if it happens :) ), sort of the million monkey theory.<br><br>Anyway this is something I've considered but of course it would affect everyone who sshs to the servers and so I can't just make such a change unilaterally.<br><br>If you are in favor of this change suggest a number that might be relevant to Squeakers and easy to remember, preferably <= 1024, if you can think of one.<br><br>Ken<br></blockquote></div><br></div></body></html>