Remote ssh access

[flanker]

 ïðåäûäóùåì ñîîáùåíèè âñå íå ïîìåñòèëîñü, ïðîäîëæó â ýòîì.

post-firewall âûãëÿäèò òàê:

Code:

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:usr/bin:/opt/sbin:/opt/bin:/opt/local/bin

logger "post-firewall started"

#this rule can be uncommented for the testing period
#iptables -A INPUT -p tcp --syn --dport 2222 -j ACCEPT

# set default policy
iptables -P INPUT DROP

# remove last default rule
iptables -D INPUT -j DROP

# ***ssh subsection begin***
SSH_PORT=12345
SSH_ALLOW=/usr/local/etc/ssh.allow
SSH_DENY=/usr/local/etc/ssh.deny

# Create a new SSH_EVAL chain which will evaluate incoming connections to ssh server from WAN
iptables -N SSH_EVAL

# Transfer all ssh connections to the SSH_EVAL chain
iptables -A INPUT -p tcp --dport $SSH_PORT -j SSH_EVAL

# Evaluate incoming ssh connections through ssh.allow and ssh.deny lists
for i in `awk '{print $1}' $SSH_ALLOW`
do
    iptables -A SSH_EVAL -p tcp --syn -s $i --dport $SSH_PORT -j ACCEPT
done
for i in `awk '{print $1}' $SSH_DENY`
do
    iptables -A SSH_EVAL -p tcp --syn -s $i --dport $SSH_PORT -j DROP
done

# Block annoying intruder's attemtps (after --hitcount connections occured, wait --seconds after the last connection attempt)
# Remember, that both successful and unsuccessful connections are counted
iptables -A SSH_EVAL -i ! $3 -p tcp -m state --state NEW --dport $SSH_PORT -m recent --set --name SSH_ATTACKER --rsource
iptables -A SSH_EVAL -i ! $3 -p tcp -m state --state NEW --dport $SSH_PORT -m recent --update --seconds 600 --hitcount 4 --name SSH_ATTACKER --rsource -j DROP

# Accept the rest of ssh connections which were able to pass through the filtering
iptables -A SSH_EVAL -p tcp --syn --dport $SSH_PORT -j ACCEPT
# ***ssh subsection end*** 

# Low PPTP speed fix
iptables -t nat -nvL POSTROUTING | grep MASQUERADE | awk '{
    "ifconfig "$7" | grep Mask" | getline ip;
    split(ip,ip,":"); split(ip[2],ip," ");
    split($8,src,"!");
    if (src[1]=="") {src="! -s "src[2]} else {src="-s "src[1]};
    if ($9=="0.0.0.0/0") {dst=""} else {dst="-d "$9};
    system("iptables -t nat -A POSTROUTING -o "$7" "src" "dst" -j SNAT --to-source "ip[1]);
    system("iptables -t nat -D POSTROUTING -o "$7" "src" "dst" -j MASQUERADE");
}'

Ñîáñòâåííî, ìåíÿ íå íàïðÿãàåò îòñóòñòâèå â ëîãàõ IP-àäðåñà àòàêóþùåãî. Íî äëÿ ïîëíîòû êàðòèíû íå ïîìåøàåò. Òåì áîëåå, ÷òî ðàíüøå âñå ðàáîòàëî. Ê òîìó æå, âîçìîæíî, ýòî ÿâëÿåòñÿ ïðèçíàêîì íåïðàâèëüíûõ íàñòðîåê â iptables èëè åùå ãäå.

Íå ïîäñêàæóò ëè óâàæàåìûå çíàòîêè, ãäå êîïàòü? Åñëè âîïðîñ óæå îáñóæäàëñÿ, ïîäñêàæèòå, ïîæàëóéñòà, ãäå ñìîòðåòü, ñàì íå íàøåë.

[Gaku]

Ïî÷åìó-òî ïðè èñïîëüçîâàíèè ýòîãî ñêðèïòà (post-firewall) uTorrent íå ìîæåò ïðèíèìàòü âõîäÿùèå ïîäêëþ÷åíèÿ, âñòðîåííàÿ ïðîâåðêà ãîâîðèòü, ÷òî ïîðò çàêðûò.

Ïîìîãèòå ïîæàëóéñòà ðàçîáðàòüñÿ: ÷òî îçíà÷àþò ñòðîêè
grep -q -- '--dport 0\b' /tmp/nat_rules && grep -v -- '--dport 0\b' /tmp/nat_rules | iptables-restore
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

è íå ìîæåò ëè áûòü ïðîáëåìà â òîì, ÷òî ìû îáíóëÿåì âñå ïðàâèëà ïåðâûìè äâóìÿ ñòðî÷êàìè ñêðèïòà?

Çàðàíåå áîëüøîå ñïàñèáî!

iptables -P INPUT DROP
iptables -D INPUT -j DROP
SSH_PORT=22
SSH_ALLOW=/usr/local/etc/ssh.allow
SSH_DENY=/usr/local/etc/ssh.deny
ssh server from WAN
iptables -N SSH_EVAL
iptables -A INPUT -p tcp --dport $SSH_PORT -j SSH_EVAL
for i in `awk '{print $1}' $SSH_ALLOW`
do
iptables -A SSH_EVAL -p tcp --syn -s $i --dport $SSH_PORT -j ACCEPT
done
for i in `awk '{print $1}' $SSH_DENY`
do
iptables -A SSH_EVAL -p tcp --syn -s $i --dport $SSH_PORT -j DROP
done

iptables -A SSH_EVAL -i ! $3 -p tcp -m state --state NEW --dport $SSH_PORT -m recent --set --name SSH_ATTACKER --rsource
iptables -A SSH_EVAL -i ! $3 -p tcp -m state --state NEW --dport $SSH_PORT -m recent --update --seconds 600 --hitcount 4 --name SSH_ATTACKER --rsource -j DROP

iptables -A SSH_EVAL -p tcp --syn --dport $SSH_PORT -j ACCEPT

grep -q -- '--dport 0\b' /tmp/nat_rules && grep -v -- '--dport 0\b' /tmp/nat_rules | iptables-restore
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

[DmitryZz]

500 gpV2 ñ ïðîøèâêîé îò ýíòóçèàñòîâ 1.9.2.7-d-r1087.
íóæåí ìíå óäàëåííûé äîñòóï ñíàðóæè ïî SSH.
ðåãèñòðèðóþñü â dyndns - ðîóòåð èçâíå ïèíãóåòñÿ íîðìàëüíî.
âêëþ÷àþ â íåì SSH íà ïîðòó 443.
èäó íà nettols.ru, ïðîâåðÿþ - ãîâîðèò, ÷òî èçâíå ïîðò 443 çàêðûò.
âêëþ÷àþ íà ðîóòåðå äîñòóï ê web ìîðäå ïî 8080.
ïûòàþñü èçâíå â ãóãëõðîìå çàëåçòü íà http:// ìîéäèíäíñ:8080 - íåò îòâåòà îò ñåðâåðà.
÷òî è ãäå ïîäêðóòèòü ÷àéíèêó?
ñïàñèáî.

[Pablo Escobar]

èñõîäíûå äàííûå:
wl500gp v.1 - 1.9.2.7-d-r2624
áåëûé äèíàìè÷åñêèé ip, îáðàùàþñü ÷åðåç DynDNS.
ssh ñëóøàåò ïîðò, íàïðèìåð, 57000.

ñ ðàáîòû (Win7 Ultimate, ñèæó çà ôðåé, âñå íàðóæó îòêðûòî) ïûòàþñü çàéòè íà ðîóòåð ñ ïîìîùüþ putty. ðàçðåøèë â âèíäîâîì ôàéðâîëëå putty, ïîäêëþ÷èëñÿ íà ïîðò, íàïðèìåð, 57000, íî ñïóòàë ëîãèí è çàêðûë åå.
ïîñëå ýòîãî ïðîáîâàë åùå ðàç äåñÿòü - íîëü ýôôåêòà, òàéìàóò ïîäêëþ÷åíèÿ.

äîáðàëñÿ äî äîìà, âèæó â ëîãàõ óäà÷íîå ïîäêëþ÷åíèå

Code:

Mar 30 10:27:54 dropbear[557]: Child connection from my_work_ip:55558
Mar 30 10:28:15 dropbear[557]: login attempt for nonexistent user from my_work_ip:55558
Mar 30 10:28:21 dropbear[557]: exit before auth: Exited normally

Âîïðîñ, â îáùåì, â ñëåäóþùåì - îòêóäà âçÿëñÿ ýòîò ëåâûé ïîðò, è ÷òî ÿ âîîáùå äåëàþ íå òàê?

Ñïàñèáî.

[al37919]

my_work_ip:55558 --- ýòî èñõîäÿùèé ïîðò
login attempt for nonexistent user from my_work_ip:55558 --- ýòî âïîëíå åñòåñòâåííûé îòëóï ïðè íåïðàâèëüíîì èìåíè ïîëüçîâàòåëÿ
exit before auth: Exited normally --- ýòî çàêðûòèå âòîðîé êîïèè dropbear, êîòîðàÿ ñîçäàåòñÿ íà êàæäîå íîâîå ñîåäèíåíèå.

 îáùåì, íåò ïðè÷èí äëÿ áåñïîêîéñòâà --- ñóäÿ ïî ïðèâåäåííîìó ëîãó ó âàñ âñå â àáàæóðå.

[Pablo Escobar]

my_work_ip:55558 --- ýòî èñõîäÿùèé ïîðò
login attempt for nonexistent user from my_work_ip:55558 --- ýòî âïîëíå åñòåñòâåííûé îòëóï ïðè íåïðàâèëüíîì èìåíè ïîëüçîâàòåëÿ
exit before auth: Exited normally --- ýòî çàêðûòèå âòîðîé êîïèè dropbear, êîòîðàÿ ñîçäàåòñÿ íà êàæäîå íîâîå ñîåäèíåíèå.

 îáùåì, íåò ïðè÷èí äëÿ áåñïîêîéñòâà --- ñóäÿ ïî ïðèâåäåííîìó ëîãó ó âàñ âñå â àáàæóðå.

íå âñå, îäíàêî. putty ïåðåñòàë êîííåêòèòüñÿ (ïîäêëþ÷èëñÿ âñåãî îäèí ðàç) è îòâàëèâàåòñÿ ïî òàéìàóòó ñîåäèíåíèÿ. îäèí ðàç ñìîã è âñå.
ìîæåò èç îïûòà ïîäñêàæåòå ÷òî, à òî ÿ çà äâà äíÿ óæå ôðþ èçó÷èë, à òîëêó íåò, â ëîãàõ ðîóòåðà êîííåêòîâ íåò.

[al37919]

òå â ëîãå dropbear áîëüøå íå óïîìèíàëñÿ?
ïðè÷åì ïî âîçâðàùåíèè dropbear â çàïóùåííûõ ïðîöåññàõ ïðèñóòñòâîâàë?

÷òî ìîæíî ñäåëàòü:
1) åñëè ïîäîçðåíèÿ íà çàùèòó recent è ó ôðè àäðåñ ñòàòè÷åñêèé, òî åãî ìîæíî ïðîïèñàòü â áåëûé ñïèñîê (ôàéë /usr/local/etc/ssh.allow ). Òîãäà íà ýòîò àäðåñ/ïîäñåòü îíà íå ðàñïðîñòðàíÿåòñÿ
2) åñëè äåéñòâèòåëüíî ïàäàåò dropbear, òî ìîæíî â cron çàñóíóòü ÷òî-òî ïîäîáíîå äëÿ åãî ïåðåïîäúåìà ðàç ìèíóò â 5-10:

Code:

#! /bin/sh

# This script checks to make sure important
# processes are running (in case they crash).
# It also makes sure annoying or unwanted
# programs are not running.

# Based on:
# http://wl500g.info/showthread.php?t=2556

ensure()
{
  [ $ENSURE = "no" ] && exit
  name=$1
  cmd=$2
  [ -z "$2" ] && cmd="$name"
  running=`/bin/ps | grep "$name" | grep -v "grep"`
  if [ -z "$running" ]; then
    logger -t ensure-proc "$name: restarting"
    $cmd
  fi
}

ensure dropbear

3) Åñëè çàíèìàòüñÿ èññëåäîâàíèåì ïðîáëåìû ñâÿçàííîé ñ ôàéðâîëîì, òî æåëàòåëüíî ôèçè÷åñêè íàõîäèòüñÿ âíóòðè íåãî. Ò.å. äåëàåì êîííåêò íà ôðþ è ñ íåå ëîãèíèìñÿ îáðàòíî è èùåì ãäå è ïî÷åìó ÷òî-òî íå òàê.

[Pablo Escobar]

òå â ëîãå dropbear áîëüøå íå óïîìèíàëñÿ?
ïðè÷åì ïî âîçâðàùåíèè dropbear â çàïóùåííûõ ïðîöåññàõ ïðèñóòñòâîâàë?

äà, è ïóñêàåò è èçíóòðè, è ñ ìîáèëêè. â ëîãå áîëüøå íåò åãî.

1) åñëè ïîäîçðåíèÿ íà çàùèòó recent è ó ôðè àäðåñ ñòàòè÷åñêèé, òî åãî ìîæíî ïðîïèñàòü â áåëûé ñïèñîê (ôàéë /usr/local/etc/ssh.allow ). Òîãäà íà ýòîò àäðåñ/ïîäñåòü îíà íå ðàñïðîñòðàíÿåòñÿ

çâàòðà îáÿçàòåëüíî ïîïðîáóþ è îòïèøóñü. îäíàêî, ïî÷åìó îäèí ðàç âñå-òàêè ïðîñêî÷èë êîííåêò, íåïîíÿòíî. ñëó÷èëîñü ýòî ïîñëå âíåñåíèÿ èñêëþ÷åíèÿ â âèíäîâûé ôàéðâîëë.

2) åñëè äåéñòâèòåëüíî ïàäàåò dropbear, òî ìîæíî â cron çàñóíóòü ÷òî-òî ïîäîáíîå äëÿ åãî ïåðåïîäúåìà ðàç ìèíóò â 5-10:

óâåðåí, ÷òî íå ïàäàåò, âñå ñòàáèëüíî.

3) Åñëè çàíèìàòüñÿ èññëåäîâàíèåì ïðîáëåìû ñâÿçàííîé ñ ôàéðâîëîì, òî æåëàòåëüíî ôèçè÷åñêè íàõîäèòüñÿ âíóòðè íåãî. Ò.å. äåëàåì êîííåêò íà ôðþ è ñ íåå ëîãèíèìñÿ îáðàòíî è èùåì ãäå è ïî÷åìó ÷òî-òî íå òàê.

äà, òî÷íî, âîò îá ýòîì êàê-òî è íå ïîäóìàë.

çàâòðà ïðîâåðþ, îòïèøóñü, ñïàñèáî.

[Pablo Escobar]

 îáùåì, âñå îêàçàëîñü ïðîùå è äóðíåå.
Èç-çà ãëþ÷íîãî adsl èíòåðíåòà î÷åíü äîëãî ïðîèñõîäèò ñîåäèíåíèå, è putty óñïåâàåò îòâàëèòüñÿ ïî òàéìàóòó.

À òàê - âñå ðàáîòàåò.

[TReX]

500 gpV2 ñ ïðîøèâêîé îò ýíòóçèàñòîâ 1.9.2.7-d-r1087.
íóæåí ìíå óäàëåííûé äîñòóï ñíàðóæè ïî SSH.
ðåãèñòðèðóþñü â dyndns - ðîóòåð èçâíå ïèíãóåòñÿ íîðìàëüíî.
âêëþ÷àþ â íåì SSH íà ïîðòó 443.
èäó íà nettols.ru, ïðîâåðÿþ - ãîâîðèò, ÷òî èçâíå ïîðò 443 çàêðûò.
âêëþ÷àþ íà ðîóòåðå äîñòóï ê web ìîðäå ïî 8080.
ïûòàþñü èçâíå â ãóãëõðîìå çàëåçòü íà http:// ìîéäèíäíñ:8080 - íåò îòâåòà îò ñåðâåðà.
÷òî è ãäå ïîäêðóòèòü ÷àéíèêó?
ñïàñèáî.

À çà÷åì âûáèðàòü ïîðò çàðåçåðâèðîâàííûé ïîä https? ïðîáóéòå ïîðòû âûøå 2000

[vectorm]

À çà÷åì âûáèðàòü ïîðò çàðåçåðâèðîâàííûé ïîä https? ïðîáóéòå ïîðòû âûøå 2000

Àâòîð âîïðîñà íå óêàçàë, "áåëûé" ëè ó íåãî àäðåñ.
Ìîæåò îí ñîâñåì íå ðîóòåð ïèíãóåò.

[mr-butch]

Äîáðûé äåíü.

Çàìåòèë ñòàáèëüíîå çàâèñàíèå ðîóòåðà ïîñëå óäàëåííîãî ïîäêëþ÷åíèÿ ê íåìó ïî ssh. Ïðè÷åì âèñíåò "íàìåðòâî", òàê ÷òî ïîñëå íå èç ëîêàëêè, íå èç âíåøêè ê íåìó íåò äîñòóïà (íè web, íè ssh, íè wi-fi, íè dhcp ñ íåãî íå ðàáîòàþò). Òîëüêî ping èç ëîêàëêè îòâå÷àåò, åñëè ïîäêëþ÷èòüñÿ êàáåëåì è íàçíà÷èòü ip âðó÷íóþ. Ïîìîãàåò ïåðåäåðãèâàíèå ïèòàíèÿ.
Íå áûëî íè îäíîãî ðàçà ÷òîáû íå "ïîâèñ".  îñòàëüíûõ ñëó÷àÿõ ðàáîòàåò ñóòêè íàïðîëåò.

 ÷åì ìîæåò áûòü ïðè÷èíà?

P.S. Ïðîøèâêà - 1.9.2.7-rtn-r3121.

[Satoorn]

Óæå êàêîé äåíü áüþñü, íå ìîãó çàéòè èç âíå ïî ssh.
 âåá èíòåðôåéñå âñ¸ ÷òî ñâÿçàííî ñ ssh îòêëþ÷åíî.
Íàñòðîåíî ñîåäèíåíèå ddns ÷åðåç no-ip.com
Ïðîøèâêà ïîñëåäíÿÿ îò ýíòóçèàñòîâ. ðîóòåð wl-500gP

Code:

cat /tmp/local/sbin/post-boot 
dropbear > /dev/null 2>&1


cat /tmp/local/sbin/post-firewall 
iptables -P INPUT DROP
iptables -D INPUT -j DROP

#Èñïðàâëÿåì íèçêóþ ñêîðîñòü PPTP
iptables -t nat -nvL POSTROUTING | grep MASQUERADE | awk '{
"ifconfig "$7" | grep Mask" | getline ip;
split(ip,ip,":"); split(ip[2],ip," ");
split($8,src,"!");
if (src[1]=="") {src="! -s "src[2]} else {src="-s "src[1]};
if ($9=="0.0.0.0/0") {dst=""} else {dst="-d "$9};
system("iptables -t nat -A POSTROUTING -o "$7" "src" "dst" -j SNAT --to-source "ip[1]);
system("iptables -t nat -D POSTROUTING -o "$7" "src" "dst" -j MASQUERADE");
}' 

# ***ssh subsection begin*** 
#iptables -t raw -A PREROUTING -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 56789 -j REDIRECT --to-ports 22
# ***ssh subsection end***
iptables -A INPUT -j DROP


iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2613 
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 
2620 516K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 
166 51485 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW 
0 0 SECURITY all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW 
57 8804 SECURITY all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW 
14 5190 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 
40 3530 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 34 packets, 2597 bytes)
pkts bytes target prot opt in out source destination 
0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2613 to:192.168.25.1:2613 
4 251 VSERVER all -- * * 0.0.0.0/0 94.24.196.21 
0 0 VSERVER all -- * * 0.0.0.0/0 10.62.86.84 
2 304 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:56789 redir ports 22 
0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.25.1:443 


Ñ ëîêàëêè çàõîæó è ïî 22 è ïî 56789 ïîðòó, õîòÿ ïûòàþñü 22 äðîïàòü. Ñ WAN íó íè â êàêóþ, ïèøåò: 
$ ssh ***.no-ip.info
ssh: connect to host ***.no-ip.info port 22: No route to host
Íå ïîéìó, ïî÷åìó íå âèäíî ñîåäèíåíèå ïî netstat?


netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:5431 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 
tcp 0 0 10.62.86.84:1024 78.29.3.77:1723 ESTABLISHED 
udp 0 0 0.0.0.0:1025 0.0.0.0:* 
udp 0 0 0.0.0.0:514 0.0.0.0:* 
udp 0 0 127.0.0.1:34954 0.0.0.0:* 
udp 0 0 0.0.0.0:53 0.0.0.0:* 
udp 0 0 0.0.0.0:67 0.0.0.0:* 
udp 0 0 0.0.0.0:1900 0.0.0.0:*

[TReX]

Óæå êàêîé äåíü áüþñü, íå ìîãó çàéòè èç âíå ïî ssh.
 âåá èíòåðôåéñå âñ¸ ÷òî ñâÿçàííî ñ ssh îòêëþ÷åíî.
Íàñòðîåíî ñîåäèíåíèå ddns ÷åðåç no-ip.com
Ïðîøèâêà ïîñëåäíÿÿ îò ýíòóçèàñòîâ. ðîóòåð wl-500gP

A äëÿ ÷åãî òàêèå ñëîæíîñòè èëè ñýð ëþáèò ñòîÿ â ãàìàêå è â àêâàëàíãå?

[Satoorn]

×òî âû óâèäåëè ñëîæíîãî?
Äàâàéòå ïî ïðîñòîìó.

Code:

$ cat /tmp/local/sbin/post-firewall
#!/bin/sh

iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set --name SSH_ATTACKER --rsource
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 600 --hitcount 6 --name SSH_ATTACKER --rsource -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP


$ iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
 2414  472K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
  156 44601 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 SECURITY   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state NEW 
   44 10302 SECURITY   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           state NEW 
   16  5846 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
    0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 recent: SET name: SSH_ATTACKER side: source 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 recent: UPDATE seconds: 600 hit_count: 6 name: SSH_ATTACKER side: source 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
   26  4400 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0 

$  netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:5431            0.0.0.0:*               LISTEN           
tcp        0      0 10.62.86.84:1024        78.29.3.44:1723         ESTABLISHED 
udp        0      0 0.0.0.0:1025            0.0.0.0:*                           
udp        0      0 0.0.0.0:514             0.0.0.0:*                           
udp        0      0 127.0.0.1:34954         0.0.0.0:*                           
udp        0      0 0.0.0.0:53              0.0.0.0:*                           
udp        0      0 0.0.0.0:67              0.0.0.0:*                           
udp        0      0 0.0.0.0:1900            0.0.0.0:*

Ïî ëîêàëêå çàõîæó íà 22 ïîðò.
Ïî÷åìó 22 ïîðò íå ïðîñëóøèâàåòñÿ? ×òî åù¸ ïîêàçàòü?