---------- Original Message ----------- From: "Dr. Blunt" <[email protected]> To: BlueOnyx General Mailing List <[email protected]> Sent: Wed, 27 Feb 2013 08:30:39 -0800 Subject: [BlueOnyx:12314] Re: Server hacked?
> Sometime back Gerald sent me this setup for my iptables -- It has helped > block plenty of junk at the BO. > > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW > -m recent --set --name SSH2 > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW > -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j LOG > --log-level 4 --log-prefix 'Block SSH 20200 Attack' > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW > -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j DROP > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m > recent --set --name SSH > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m > recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j LOG > --log-level 4 --log-prefix 'Block SSH 22 Attack' > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m > recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m > recent --set --name Dovecot > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m > recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j LOG > --log-level 4 --log-prefix 'Block Dovecot Attack' > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m > recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j DROP > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m > recent --set --name SMTP > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m > recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j LOG > --log-level 4 --log-prefix 'Block SMTP Attack' > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m > recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP > > At 08:13 AM 2/27/2013, you wrote: > > > and added them to deny.hosts.rules in apf but when I restart sendmail, > > there they are. I see a bunch of logging, naming, and blocking. But it also shows TCP Port 22 (SSH) blocked completely - and a new service (SSH2) running and allowed on TCP Port 20200. Problem with that - you've first got to change your SSH to listen on TCP Port 20200. If not -- the above set of rules will only block SSH access to the server and you've got no way in! The change required is the "Port" entry in the /etc/ssh/sshd_config file. And don't forget to restart SSH after the change with "service sshd restart". Chuck
_______________________________________________ Blueonyx mailing list [email protected] http://mail.blueonyx.it/mailman/listinfo/blueonyx
