[nSLUG] OT: mail server stuff (was Re: Apache)

Sheldon Tower shtower at eastlink.ca
Sat Aug 8 11:29:42 ADT 2009


Thanks for the information. I put an AllowUser line in my sshd_config 
file right away.

Stephen Gregory wrote:
> re passwords:
>
>
> Along with a strong passwords there are two options in sshd_config for
> limiting who can log on: AllowUsers, and AllowGroups. By using either
> option any user not specifically allowed is denied access. It is a nice
> safety net if you enable a system account with a simple password by
> mistake. Or if your significant other changes their password to their
> username.
>
>
> Hatem Nassrat wrote:
>   
>> If you end up wanting to access ssh externally you may want to open up
>> a port externally other than 22, maybe 2202 or something, because you
>> will get bruteforced if you use port 22.
>>     
>
> For limiting brute force attempts I use the following iptables rules:
>
>
> iptables -I INPUT -j ACCEPT -i lo
> iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
>
> iptables -A INPUT -j DROP -m recent --update --name QUENCH \
>           --seconds 60  --hitcount 6
> iptables -A INPUT -m state --state NEW -m recent --set --name QUENCH
>
> iptables -A INPUT -j ACCEPT -m state --state NEW --proto tcp --dport 22
>
> You may want to add a rule directly below the RELEATED rule to accept
> traffic from you local subnet if you have one:
>
> iptables -A INPUT -j ACCEPT --source 192.168.0.0/24
>
> or whatever you local subnet is.
>
> The rate limiting bit are the two "-m recent" rules. You need to set it
> after allowing RELATED traffic are you could easily block yourself out.
> You can have different conditions for different ports or sets of ports
> by using more rules with the different name options and adding options
> to the "--set" rules. (I use QUENCH above, but it can be any string.) If
> I have different block conditions I only limit the "--set" rule not the
> "-j DROP -m recent --update" rule. I figure if some machine gets blocked
> for brute forcing port 22, then they can be blocked for all other
> services too.
>
> iptables -A INPUT -j DROP -m recent --update --name SSH\
>           --seconds 60  --hitcount 6
> iptables -A INPUT -j DROP -m recent --update --name Idiots \
>           --seconds 120  --hitcount 10
> iptables -A INPUT -m state --state NEW -m recent --set --name SSH \
>           --proto tcp --dport 22
> iptables -A INPUT -m state --state NEW -m recent --set --name SSH \
>           --proto tcp --dport 2022
> iptables -A INPUT -m state --state NEW -m recent --set --name Idiots
>
>
> On Ubuntu and Debian you can add this to /etc/rc.local. It will only
> work if you don't already use a firewall package. Otherwise you will
> have to hack it in somehow.
>
>
>   
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.392 / Virus Database: 270.13.47/2290 - Release Date: 08/08/09 06:10:00
>
>   




More information about the nSLUG mailing list