Re: [qmailtoaster] Q7

2015-04-06 Thread Dave M 

Correction,

SMTP set to port 587, Auto


On 4/6/2015 11:48 AM, Dave M wrote:

Success
After waiting for DNS propagation, I am now running one test domain, 
with 3 email accounts live on Centos7 Qmail-toaster standard install.


I setup Outlook client,. using IMAP, port 993 , SSL, SMTP port 587, SSL
So far no errors at all.



Oh yes, firewall is now secured,

Thanks
Dave M


thanks all,
as I hadn't completed the install at that point, I also hadnt copied 
in my special firewall rules : )


Thanks for the reminders.

My centos7 install will be live with one test domain tomorrow

Cheers
Dave M

On Apr 3, 2015 4:53 PM, "DNK" > wrote:


I have a mgmt machine to connect to all my servers. Then I access
that mgmt machine VIA SSH W/ Keys and a passphrase. 2 factor
authentication is going  to be layered on as well.

-- 
DNK


On April 3, 2015 at 3:08:50 PM, Cecil Yother, Jr. (c...@yother.com
) wrote:


yet another tip.

Isolate your ip in iptables like so

-A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT

using non-standard port replacing the private ip with your
public IP address.

The only problem with this approach is accessing it from the
road where your IP is changing.



On 04/03/2015 11:41 AM, Hasan Akgöz wrote:

second tip ;

It does this by using simple Access List Rules which are
included in the two files /etc/hosts.allow and /etc/hosts.deny
. Firstly allow access by placing the following inside
/etc/hosts.allow:

/etc/hosts.allow
sshd: 1.2.3.0/255.255.255.0 (
1.2.3.0 secure network )

Then disallow all further access by placing this in
/etc/hosts.deny:

/etc/hosts.deny
sshd: ALL

third tip :

Change the absolute ssh port. For example 2122 .




2015-04-03 17:01 GMT+03:00 Dan McAllister mailto:q...@it4soho.com>>:

On 4/2/2015 5:20 PM, Dave M wrote:

This should make you smile

I have just this minute finished an install of Centos7 to
prepare for the qmail-toaster install.

After the first update , and reboot, I logged in via ssh

Up pops the security message:

*There were 249 failed login attempts since the last
successful login.*

Thankfully the default firewall took care of them

Just be careful doing installs with live external IP, and
disabling the firewall until you are done

Made me laugh : )


Just a tip --

Instead of leaving your SSH port open, put a connection
limit on it:

The following entries are from an iptables config file:

-A INPUT -p tcp --dport   22 -m limit --limit 2/minute  -j
ACCEPT
-A INPUT -p tcp --dport   22 -j DROP

You can fail your login attempt twice per minute, then
you're dropped for the remainder of the minute.
In most cases, they fail the login twice in like a
10-second period, fail a few more times (with unsuccessful
connections this time) and finally quit -- blissfully
unaware that they could try 2 more times in 60 seconds.

The point is, if you're just fat-fingering your SSH
password, no worries - wait 60 seconds
But if you're trying a brute-force attack, good luck --
instead of hundreds of tries per minute, you now get just 2...

Needless to say, you can adjust to your own recipe...

Dan McAllister
IT4SOHO


--
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806

CALL TOLL FREE:
   877-IT4SOHO

877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax

We have support plans for QMail!




--

Re: [qmailtoaster] Q7

2015-04-06 Thread Dave M 

Success
After waiting for DNS propagation, I am now running one test domain, 
with 3 email accounts live on Centos7 Qmail-toaster standard install.


I setup Outlook client,. using IMAP, port 993 , SSL, SMTP port 587, SSL
So far no errors at all.



Oh yes, firewall is now secured,

Thanks
Dave M


thanks all,
as I hadn't completed the install at that point, I also hadnt copied 
in my special firewall rules : )


Thanks for the reminders.

My centos7 install will be live with one test domain tomorrow

Cheers
Dave M

On Apr 3, 2015 4:53 PM, "DNK" > wrote:


I have a mgmt machine to connect to all my servers. Then I access
that mgmt machine VIA SSH W/ Keys and a passphrase. 2 factor
authentication is going  to be layered on as well.

-- 
DNK


On April 3, 2015 at 3:08:50 PM, Cecil Yother, Jr. (c...@yother.com
) wrote:


yet another tip.

Isolate your ip in iptables like so

-A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT

using non-standard port replacing the private ip with your public
IP address.

The only problem with this approach is accessing it from the road
where your IP is changing.



On 04/03/2015 11:41 AM, Hasan Akgöz wrote:

second tip ;

It does this by using simple Access List Rules which are
included in the two files /etc/hosts.allow and /etc/hosts.deny
. Firstly allow access by placing the following inside
/etc/hosts.allow:

/etc/hosts.allow
sshd: 1.2.3.0/255.255.255.0   (
1.2.3.0 secure network )

Then disallow all further access by placing this in /etc/hosts.deny:

/etc/hosts.deny
sshd: ALL

third tip :

Change the absolute ssh port. For example 2122 .




2015-04-03 17:01 GMT+03:00 Dan McAllister mailto:q...@it4soho.com>>:

On 4/2/2015 5:20 PM, Dave M wrote:

This should make you smile

I have just this minute finished an install of Centos7 to
prepare for the qmail-toaster install.

After the first update , and reboot, I logged in via ssh

Up pops the security message:

*There were 249 failed login attempts since the last
successful login.*

Thankfully the default firewall took care of them

Just be careful doing installs with live external IP, and
disabling the firewall until you are done

Made me laugh : )


Just a tip --

Instead of leaving your SSH port open, put a connection
limit on it:

The following entries are from an iptables config file:

-A INPUT -p tcp --dport   22 -m limit --limit 2/minute  -j
ACCEPT
-A INPUT -p tcp --dport   22 -j DROP

You can fail your login attempt twice per minute, then
you're dropped for the remainder of the minute.
In most cases, they fail the login twice in like a 10-second
period, fail a few more times (with unsuccessful connections
this time) and finally quit -- blissfully unaware that they
could try 2 more times in 60 seconds.

The point is, if you're just fat-fingering your SSH
password, no worries - wait 60 seconds
But if you're trying a brute-force attack, good luck --
instead of hundreds of tries per minute, you now get just 2...

Needless to say, you can adjust to your own recipe...

Dan McAllister
IT4SOHO


--
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806

CALL TOLL FREE:
   877-IT4SOHO

877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax

We have support plans for QMail!




--