iptables +block country

[Nataraj]

Markus Schönhaber wrote:
> 16.08.2010 10:57, Harry Strongburg:
>
>   
>> But yeah, fail2ban and using a high port for anything with 
>> authentication has lowered attacking bots to less than one per year. The 
>> one or two it catches per year appeared to have been manually started, 
>> not a normal port-22 scan. The one to two that comes in, fail2ban grabs 
>> and bans them for however long I want! >:) As long as your password is 
>> "good".
>>     
>
> Yep, that's similar to what I do:
> - wherever possible, I don't allow password-based authentication for ssh
> at all. This is for security.
> - I move the ssh port way up. This is to mute the noise.
>
>   
I would look at http://www.cipherdyne.org/fwknop/

With fwknop, you completely block your services.  Then when you remotely 
authenticate to fwknopd, it adds iptables rules to open up the ports 
that you request access to, only from your ip address.  fwknopd uses 
promiscuous mode to sniff the network for udp authentication packets, so 
a remote attacker has no idea that it is running since there is no 
listener.  Remote users simply don't see the services that are blocked.  
The fwknop client uses gpg keys for authentication, so if you set your 
keyrings and timeouts up correctly, you won't have to keep typing a 
password to reauthenticate.  Newer versions, I believe, will support 
enabliing keeping the ports open as long as you have an open connection.

This works well in cases where the users are willing to run the 
authentication client.  Obviously, it won't work for a public resources 
or could be too inconvenient for inexperienced users that don't want to 
deal with an authentication client.  I have been running fwknop for 
several years and have found it to be quite solid and reliable.

Nataraj