[mythtv-users] Semi-OT: Blocking Brute Force SSH attacks
Brian Foddy
bfoddy at visi.com
Sat Oct 20 05:06:56 UTC 2007
On Friday 19 October 2007, Mike Poublon wrote:
> Chris Ribe wrote:
> > I've created a small php webpage that I run on my linux router
> > that lets
> > me log in and dynamically add a rule to iptables on the fly
> >
> >
> >
> > Secured how? I'm neither particularly paranoid nor a security expert,
> > but giving php root access (or anyone else iptables access) doesn't
> > sound like an improvement over anything.
>
> I gave the apache user rights to sudo iptables. I'm sure it's not the
> most secure thing ever, but the page is behind a password protected (via
> apache) directory that's not linked to anywhere on the home page. I know
> it's a little bit security through obscurity, but it's password
> protected obscurity :)
>
> -Mike
I don't know if I would have done that. sshblack simply reads a log
file to find offenders. Its default is to read the auth.log, but could
easily be altered to read an httpd access or error log. And it
provides a much better isolation of the two security sensitive
functions.
Just my 2 cents.
Brian
More information about the mythtv-users
mailing list