[nSLUG] OT: mail server stuff (was Re: Apache)

Stephen Gregory nslug at kernelpanic.ca
Sat Aug 8 10:11:35 ADT 2009


re passwords:


Along with a strong passwords there are two options in sshd_config for
limiting who can log on: AllowUsers, and AllowGroups. By using either
option any user not specifically allowed is denied access. It is a nice
safety net if you enable a system account with a simple password by
mistake. Or if your significant other changes their password to their
username.


Hatem Nassrat wrote:
> 
> If you end up wanting to access ssh externally you may want to open up
> a port externally other than 22, maybe 2202 or something, because you
> will get bruteforced if you use port 22.

For limiting brute force attempts I use the following iptables rules:


iptables -I INPUT -j ACCEPT -i lo
iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED

iptables -A INPUT -j DROP -m recent --update --name QUENCH \
          --seconds 60  --hitcount 6
iptables -A INPUT -m state --state NEW -m recent --set --name QUENCH

iptables -A INPUT -j ACCEPT -m state --state NEW --proto tcp --dport 22

You may want to add a rule directly below the RELEATED rule to accept
traffic from you local subnet if you have one:

iptables -A INPUT -j ACCEPT --source 192.168.0.0/24

or whatever you local subnet is.

The rate limiting bit are the two "-m recent" rules. You need to set it
after allowing RELATED traffic are you could easily block yourself out.
You can have different conditions for different ports or sets of ports
by using more rules with the different name options and adding options
to the "--set" rules. (I use QUENCH above, but it can be any string.) If
I have different block conditions I only limit the "--set" rule not the
"-j DROP -m recent --update" rule. I figure if some machine gets blocked
for brute forcing port 22, then they can be blocked for all other
services too.

iptables -A INPUT -j DROP -m recent --update --name SSH\
          --seconds 60  --hitcount 6
iptables -A INPUT -j DROP -m recent --update --name Idiots \
          --seconds 120  --hitcount 10
iptables -A INPUT -m state --state NEW -m recent --set --name SSH \
          --proto tcp --dport 22
iptables -A INPUT -m state --state NEW -m recent --set --name SSH \
          --proto tcp --dport 2022
iptables -A INPUT -m state --state NEW -m recent --set --name Idiots


On Ubuntu and Debian you can add this to /etc/rc.local. It will only
work if you don't already use a firewall package. Otherwise you will
have to hack it in somehow.


-- 
sg



More information about the nSLUG mailing list