Re: [tlug] dropping any IP that tries port 22?

["Stephen J. Turnbull" <stephen@example.com>]

scott writes:

 > This is a great idea. I'm not familiar with what position 1 is so I've
 > gotta do some more reading...

In "iptables -I <chain> <n> ..." <n> is the position of the rule
(starting from 1), which is checked in order.  Since this is a LOG
rule, it doesn't hurt to have it before unrelated rules, and you do
want it before the rule that stops port 22 altogether.  I guess a
reasonable alternative is

iptables -A INPUT -d yo.ur.i.p --proto tcp --dport 22 --syn -j LOG
iptables -A INPUT -d yo.ur.i.p --proto tcp --dport 22 -j REJECT

*in that order* so it gets LOGged then REJECTed (instead of REJECTed
and stop processing---without LOGging).  I choose REJECT here because
presumably you'll be smart enough to see "connection refused" and
realize you forgot to use -p or knockd before you get your own IP
banned.  Also, a more sophisticated ban script could count tries and
only ban after three, or something like that.  Or you could put the
ACCEPT on the port you have selected as your nonstandard SSH listener
*before* the REJECT/DROP rules (which you would then add with
"iptables -I INPUT 2 ...").

Anyway, once you've got the IP that you want to ban, you want to
insert it at position 1 so that (a) you don't waste time processing
other rules and (b) you don't log it and add it again (maybe iptables
is smart enough not to dupe entries, but it seems unlikely).

 > Or maybe there is a simpler way?

The inverse Postel Principle: be lenient about what you send out, and
an absolute bastard about what you allow in:

# maybe the knock ports only need to ACCEPT on --syn?
iptables -A INPUT -d yo.ur.i.p --proto tcp --dport KNOCK1 -j ACCEPT
iptables -A INPUT -d yo.ur.i.p --proto tcp --dport KNOCK2 -j ACCEPT
iptables -A INPUT -d yo.ur.i.p --proto tcp --dport ALTSSH -j ACCEPT
... any other traffic you know you want ...
iptables -P INPUT REJECT