This is kind of general holding place for commands that I run into and need to keep track of in Linux. I mainly play with Ubuntu and Kali but these should work with almost any distro.
If you run a ssh server on the internet, you want to minimize the risk of brute forcing. Its best to not allow root logins via anywhere, so that removes the easy job of guessing a username. This little trick will allow new connections to ssh from the same IP, only three times. So basically if someone keeps trying to connect to your ssh server, it will track the SYN packets and block them for 5 minutes after the 3rd new connection. This also gets logged.
Warning: You can easily block yourself, so don’t create a bunch of new connections in 5 minutes. You can lower the timeout to 60 seconds if you often connect within that time frame.
1) Add the following line to /etc/ssh/sshd_config. This will only allow you to try a password once and it disconnect you.
2) Add the following firewall rules
iptables -N SSHATTACK
iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack!" --log-level 7
iptables -A SSHATTACK -j DROP
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --set
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 300 --hitcount 3 -j SSHATTACK
3) See log entries of possible in /var/log/syslog
Nov 20 05:07:23 ubuntu-server kernel: [579055.102939] Possible SSH attack! IN=eth0 OUT= MAC=00:0c:29:3a:8f:d7:ec:1a:59:58:4b:ee:08:00 SRC=188.8.131.52 DST=192.168.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=25234 DF PROTO=TCP SPT=4081 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
If you have a laptop and don’t want it to go into standby mode when you close the lid, run these commands once:
gsettings set org.gnome.settings-daemon.plugins.power lid-close-ac-action nothing
gsettings set org.gnome.settings-daemon.plugins.power lid-close-battery-action nothing
Proxy at the office or home? Here is how to setup apt-get so you can update the installation with a proxy. Note: you do have to put your password in here.
Edit the file /etc/apt/apt.conf and put at the top:
Acquire::http::Proxy "http://username:[email protected]:8080";