Re: iptables block attemtps
Quote:
Originally Posted by
Doug S
Yes, as long as there is not 10 minutes between login attempts.
Hey I just tried this on my local Ubuntu Server to test it out. Before adding the rule I could SSH to my local machine. After adding the rule and then attempting to access it 3 times I got the Permission denied (publickey,password).
HOWEVER, I was able to try ssh again and was prompted for a password 3 more times before it failed again.
I thought this command would add the ip to the DROP/REJECT list after 3 failed attempts such that they could not try ssh again (or in this case try any access to the server).
Am I missing something? After 3 successive failed attempts I want to block the IP from accessing everything.
Re: iptables block attemtps
Quote:
Originally Posted by
dkardell
so SeijiSensei help the newbie out here. Again I'm a programmer of some 30 years and have been playing around with Ubuntu for a little over a year and am now doing remote admin of a server via SSH. This whole thread started because of the number of sshd root failures I'm seeing for other ips. I've read over the OpenVPN stuff and really want to understand it but a bit worried that I may screw someithing up and lock myself out. I have heard about shared static key's but have slept since then. How do I go about using keys on my mac local and on a Ubuntu server hosted at Godaddy?
Next what are your code examples above. Are scripts inside of executable files? or are these configs?
Thanks!
Dan]
Those are the server and client configuration files for OpenVPN. They are stored in /etc/openvpn. You can name them anything you want as long as they end in .conf. (I have a server that manages multiple VPNs; each tunnel has a separate file in /etc/openvpn.)
The steps in that "how-to" I linked above are pretty straightforward. Here's a quick summary:
1) First generate a key that will be used on both machines to encrypt the traffic over the tunnel. OpenVPN provides a convenient method to do this with the command:
Code:
sudo openvpn --genkey --secret /etc/openvpn/mykey
sudo chmod 600 /etc/openvpn/genkey
This will create the file /etc/openvpn/mykey. Place a copy of the key in the same location on both machines. Make sure the files are owned by root and use the same chmod command to limit their visibility to the root user.
2) Install openvpn.
Code:
sudo apt-get install openvpn
3) Create a file on the server, call it /etc/openvpn/something.conf, and put the commands I gave above for the server in that file. The port number is arbitrary; pick something between 1024 and 65535 that is not being used for anything else. Make sure your iptables ruleset opens this port. If you chose port 12345, you would include an iptables rule that reads:
Code:
iptables -A INPUT -p udp --dport 12345 -j ACCEPT
to allow incoming UDP traffic on port 12345. If the server is locked down, you probably need to add another rule to enable traffic over the tunnel like this:
Code:
iptables -A INPUT -i tun0 -j ACCEPT
This allows all traffic to the "tun0" interface, which will be created when OpenVPN starts. Add this to the iptables rulesets on both machines.
The addresses in the ifconfig directive are also arbitrary. All my tunnels are numbered in the 10.1.1.0/24 subnet, but you could use any other private addressing space like 192.168/16. Just make sure the order of addresses is reversed in the client configuration file.
4) Install OpenVPN on the client and create an equivalent .conf file like the one above. Replace "myserver.example.com" in the "remote" directive with the actual name of your server.
5) Start OpenVPN on the server:
Code:
sudo service openvpn start
Look in /var/log/syslog for any errors.
6) Now start OpenVPN on the client and check the logs for errors.
7) Try pinging the private address on the other side of the tunnel. Does it work?
Adding OpenVPN won't interfere with SSH access; they operate on entirely separate ports and use different protocols. If you can SSH to the public IP of your server now, you should still be able to do so after starting OpenVPN.
I use Linode for my external virtual servers. One nice feature they offer is the ability to access a text-mode terminal session on the machine over the web so I can log in even if SSH doesn't work. Things like that make the $20/month it costs for a VM on Linode worth it.