[mythtv-users] Semi-OT: Blocking Brute Force SSH attacks

Brian Foddy bfoddy at visi.com
Sat Oct 20 05:06:56 UTC 2007


On Friday 19 October 2007, Mike Poublon wrote:
> Chris Ribe wrote:
> >     I've created a small php webpage that I run on my linux router
> >     that lets
> >     me log in and dynamically add a rule to iptables on the fly
> >
> >
> >
> > Secured how?  I'm neither particularly paranoid nor a security expert,
> > but giving php root access (or anyone else iptables access) doesn't
> > sound like an improvement over anything.
>
> I gave the apache user rights to sudo iptables. I'm sure it's not the
> most secure thing ever, but the page is behind a password protected (via
> apache) directory that's not linked to anywhere on the home page. I know
> it's a little bit security through obscurity, but it's password
> protected obscurity :)
>
> -Mike

I don't know if I would have done that.  sshblack simply reads a log
file to find offenders.  Its default is to read the auth.log, but could 
easily be altered to read an httpd access or error log.  And it
provides a much better isolation of the two security sensitive
functions.

Just my 2 cents.

Brian


More information about the mythtv-users mailing list