[qmailtoaster] Re: Firewall

[M]

corrected typo

*cp /etc/rc.d/firewall.ruleset /etc.rc.d/firewall.org***

Should be
*cp /etc/rc.d/firewall.ruleset /etc/rc.d/firewall.org*



On 7/16/2014 1:02 PM, M wrote:

Hi list*, *recently**i had a request for a VM for one of our qmailers.

Subsequently , after deployment, we found the VM to be compromised, so 
hackers got in before I could secure the qmail VM.


I rebuilt the VM, and added " My " firewall rules , and sent it off 
again. No probs this time.
I was asked if they could share the firewall rules, No probs, but I 
looked for a way to block by country.


Here is what I found, and modified for our qmail needs ( rules etc )
Thanks go to the original script writer, I merely modified it.

Firewall script , so you can block specific countries, eg China ( ISO 
cn ) working as of July 16th 2014

*
***No offense meant to any countries listed here, for demo purposes 
only**


Do a ISO country code look up for your needs

*Tested on qmail-Centos5, and qmail-Centos6.*

Should work an other iptables type firewalls

*Install & Setup.*
* Backup your existing firewall script. ***
Centos5 qmail install ( *cp /etc/rc.d/firewall.ruleset 
/etc.rc.d/firewall.org***)
Centos6 qmail install ( *cp /etc/sysconfig/iptables 
/etc/sysconfig/iptables.org* )


copy script to your server, make executable ( *chmod +x 
country_block.sh* )

*Edit file, and modify to your needs.*
specific areas
*ISO="af cn kr" *
# Set your own ports you need , these are set for a standard qmail 
install..remove 3306 if you dont do database sync`s

*ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306
#Set your subnet
ALLOWSUBNET=192.168.0.0/255.255.0.0*


Run script
*./country_block.sh*
Wait until complete.
check it added the rules, *iptables -L -n*, you should see a whole 
bunch of " countrydrop " lines


_*Centos 5 Qmail installs*_
Save iptables to your /etc/rc.d/firewall.ruleset
*/sbin/iptables-save > /etc/rc.d/firewall.ruleset*

Stop and start firewall
*firewall down**
**firewall up*
Check again *iptables -L -n*

_*Centos 6 Qmail installs*_
Save iptables to your /etc/sysconfig/iptables
*/sbin/iptables-save > /etc/sysconfig/iptables*

Some say this may cause slowness on the email server, I have not found 
that to be the case.
Based on  " My ruleset " ( thousands of entries ) I have been running 
the rules for years.


Dave M

[qmailtoaster] Re: Firewall

[Eric Shubert]

On 07/16/2014 12:02 PM, M wrote:

Hi list*, *recently**i had a request for a VM for one of our qmailers.

Subsequently , after deployment, we found the VM to be compromised, so
hackers got in before I could secure the qmail VM.

I rebuilt the VM, and added " My " firewall rules , and sent it off
again. No probs this time.
I was asked if they could share the firewall rules, No probs, but I
looked for a way to block by country.

Here is what I found, and modified for our qmail needs ( rules etc )
Thanks go to the original script writer, I merely modified it.

Firewall script , so you can block specific countries, eg China ( ISO cn
) working as of July 16th 2014
*
***No offense meant to any countries listed here, for demo purposes
only**

Do a ISO country code look up for your needs

*Tested on qmail-Centos5, and qmail-Centos6.*

Should work an other iptables type firewalls

*Install & Setup.*
* Backup your existing firewall script. ***
Centos5 qmail install ( *cp /etc/rc.d/firewall.ruleset
/etc.rc.d/firewall.org***)
Centos6 qmail install ( *cp /etc/sysconfig/iptables
/etc/sysconfig/iptables.org* )

copy script to your server, make executable ( *chmod +x country_block.sh* )
*Edit file, and modify to your needs.*
specific areas
*ISO="af cn kr" *
# Set your own ports you need , these are set for a standard qmail
install..remove 3306 if you dont do database sync`s
*ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306
#Set your subnet
ALLOWSUBNET=192.168.0.0/255.255.0.0*


Run script
*./country_block.sh*
Wait until complete.
check it added the rules, *iptables -L -n*, you should see a whole bunch
of " countrydrop " lines

_*Centos 5 Qmail installs*_
Save iptables to your /etc/rc.d/firewall.ruleset
*/sbin/iptables-save > /etc/rc.d/firewall.ruleset*

Stop and start firewall
*firewall down**
**firewall up*
Check again *iptables -L -n*

_*Centos 6 Qmail installs*_
Save iptables to your /etc/sysconfig/iptables
*/sbin/iptables-save > /etc/sysconfig/iptables*

Some say this may cause slowness on the email server, I have not found
that to be the case.
Based on  " My ruleset " ( thousands of entries ) I have been running
the rules for years.

Dave M





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



Is this suitable to replace the firewall.sh script and become the 
'stock' QMT firewall?


--
-Eric 'shubes'


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Firewall

[Eric Shubert]

On 07/17/2014 03:33 PM, Tony White wrote:

FYI Dan I am getting 4 emails in my inbox again.


I think this is a problem with the list server. I'll look into it when I 
get a chance, perhaps this weekend.


--
-Eric 'shubes'


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Firewall

[Eric Shubert]

On 07/18/2014 01:32 PM, M wrote:

Well, I contacted ipdeny.com
Here is their updated Fair Use Policy


  *IP*deny fair Usage Limits policy

Last reviewed: March 4, 2012

In order to offer equal and quality service to all public users
IPDENY.COM has implemented fair usage limits policy with the following
resource download limits:

  * no more than 5000 zone downloads per day per IP
  * no more than 5 concurrent connections per IP
  * we suggest doing a wait for 0.5 to 1 second between each request

We do not impose any hard limits and we do understand that sometimes you
need to fetch files more often due to your script testing or anything
similar. This policy was created for "bad people" who are abusing our
service.

By using IPDENY.COM web site and data you also agree to our Terms of
Service  (TOS) and that you are familiar with
our Copyright notice  and Privacy
Policy .


*As their are only 243 zone files*, then that does not break their 5000
zone limit.

I have the zones again, and zipped them up if any one wants them,  or
admins can I add to an email here, the file size is only 308kb

let me know if I can post the zip file here as an attachment

Dave M




If it fits their fair use policy, would it be appropriate to put it on 
the mirrors? If so, how might it fit into the directory structure there?


Thanks.

--
-Eric 'shubes'


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Firewall

[Eric Shubert]

On 07/21/2014 01:27 PM, M wrote:

Hi Eric,

I looked at the mirrors directory structure, and don not really see a
place there for the firewall script.
what about adding ot to git hub , maybe here
https://github.com/QMailToaster/qmailtoaster-util


On 7/18/2014 3:40 PM, Eric Shubert wrote:

On 07/18/2014 01:32 PM, M wrote:

Well, I contacted ipdeny.com
Here is their updated Fair Use Policy


  *IP*deny fair Usage Limits policy

Last reviewed: March 4, 2012

In order to offer equal and quality service to all public users
IPDENY.COM has implemented fair usage limits policy with the following
resource download limits:

  * no more than 5000 zone downloads per day per IP
  * no more than 5 concurrent connections per IP
  * we suggest doing a wait for 0.5 to 1 second between each request

We do not impose any hard limits and we do understand that sometimes you
need to fetch files more often due to your script testing or anything
similar. This policy was created for "bad people" who are abusing our
service.

By using IPDENY.COM web site and data you also agree to our Terms of
Service  (TOS) and that you are familiar with
our Copyright notice  and Privacy
Policy .


*As their are only 243 zone files*, then that does not break their 5000
zone limit.

I have the zones again, and zipped them up if any one wants them,  or
admins can I add to an email here, the file size is only 308kb

let me know if I can post the zip file here as an attachment

Dave M





If it fits their fair use policy, would it be appropriate to put it on
the mirrors? If so, how might it fit into the directory structure there?

Thanks.




-


That sounds appropriate to me for the script.

What about the zone files though? How often do those change? Should 
there perhaps be a freshclam or sa-update sort of thing for keeping the 
zone files up to date?



--
-Eric 'shubes'


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Firewall

[Eric Shubert]

So, would you like to add everything required for this to the 
qmailtoaster-util repo on github? I can take care of modifying the .spec 
file for them.


Thanks.

P.S. Probably should be having this conversation on the devel list.

--
-Eric 'shubes'

On 07/24/2014 11:41 AM, Madd Macc wrote:

i would guess as the zone files are country IPs  it would not change
very often at all

dave m

On Jul 24, 2014 12:26 PM, "Eric Shubert" mailto:e...@shubes.net>> wrote:

On 07/21/2014 01:27 PM, M wrote:

Hi Eric,

I looked at the mirrors directory structure, and don not really
see a
place there for the firewall script.
what about adding ot to git hub , maybe here
https://github.com/__QMailToaster/qmailtoaster-util



On 7/18/2014 3:40 PM, Eric Shubert wrote:

On 07/18/2014 01:32 PM, M wrote:

Well, I contacted ipdeny.com 
Here is their updated Fair Use Policy


   *IP*deny fair Usage Limits policy

Last reviewed: March 4, 2012

In order to offer equal and quality service to all
public users
IPDENY.COM  has implemented fair
usage limits policy with the following
resource download limits:

   * no more than 5000 zone downloads per day per IP
   * no more than 5 concurrent connections per IP
   * we suggest doing a wait for 0.5 to 1 second between
each request

We do not impose any hard limits and we do understand
that sometimes you
need to fetch files more often due to your script
testing or anything
similar. This policy was created for "bad people" who
are abusing our
service.

By using IPDENY.COM  web site and
data you also agree to our Terms of
Service  (TOS) and that you
are familiar with
our Copyright notice > and Privacy
Policy .


*As their are only 243 zone files*, then that does not
break their 5000
zone limit.

I have the zones again, and zipped them up if any one
wants them,  or
admins can I add to an email here, the file size is only
308kb

let me know if I can post the zip file here as an attachment

Dave M




If it fits their fair use policy, would it be appropriate to
put it on
the mirrors? If so, how might it fit into the directory
structure there?

Thanks.




--__--__-


That sounds appropriate to me for the script.

What about the zone files though? How often do those change? Should
there perhaps be a freshclam or sa-update sort of thing for keeping
the zone files up to date?


--
-Eric 'shubes'


--__--__-
To unsubscribe, e-mail:
qmailtoaster-list-unsubscribe@__qmailtoaster.com

For additional commands, e-mail:
qmailtoaster-list-help@__qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Firewall

[Tony White]

A Heads Up warning on this script...
It is very good BUT if you use non standard ports
for anything make sure you account for them
before you load this thing up.

Thanks Dave.

best wishes
  Tony White


On 17/07/2014 06:33, M wrote:

corrected typo

*cp /etc/rc.d/firewall.ruleset /etc.rc.d/firewall.org***

Should be
*cp /etc/rc.d/firewall.ruleset /etc/rc.d/firewall.org*



On 7/16/2014 1:02 PM, M wrote:

Hi list*, *recently**i had a request for a VM for one of our qmailers.

Subsequently , after deployment, we found the VM to be compromised, so hackers 
got in before I could secure the qmail VM.

I rebuilt the VM, and added " My " firewall rules , and sent it off again. No 
probs this time.
I was asked if they could share the firewall rules, No probs, but I looked for 
a way to block by country.

Here is what I found, and modified for our qmail needs ( rules etc )
Thanks go to the original script writer, I merely modified it.

Firewall script , so you can block specific countries, eg China ( ISO cn ) 
working as of July 16th 2014
*
***No offense meant to any countries listed here, for demo purposes only**

Do a ISO country code look up for your needs

*Tested on qmail-Centos5, and qmail-Centos6.*

Should work an other iptables type firewalls

*Install & Setup.*
* Backup your existing firewall script. ***
Centos5 qmail install ( *cp /etc/rc.d/firewall.ruleset 
/etc.rc.d/firewall.org***)
Centos6 qmail install ( *cp /etc/sysconfig/iptables 
/etc/sysconfig/iptables.org* )

copy script to your server, make executable ( *chmod +x country_block.sh* )
*Edit file, and modify to your needs.*
specific areas
*ISO="af cn kr" *
# Set your own ports you need , these are set for a standard qmail 
install..remove 3306 if you dont do database sync`s
*ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306
#Set your subnet
ALLOWSUBNET=192.168.0.0/255.255.0.0*


Run script
*./country_block.sh*
Wait until complete.
check it added the rules, *iptables -L -n*, you should see a whole bunch of " 
countrydrop " lines

_*Centos 5 Qmail installs*_
Save iptables to your /etc/rc.d/firewall.ruleset
*/sbin/iptables-save > /etc/rc.d/firewall.ruleset*

Stop and start firewall
*firewall down**
**firewall up*
Check again *iptables -L -n*

_*Centos 6 Qmail installs*_
Save iptables to your /etc/sysconfig/iptables
*/sbin/iptables-save > /etc/sysconfig/iptables*

Some say this may cause slowness on the email server, I have not found that to 
be the case.
Based on  " My ruleset " ( thousands of entries ) I have been running the rules 
for years.

Dave M

Re: [qmailtoaster] Re: Firewall

[Me]

Correct as per my mote, I also have non standard ports for ssh etc.
“Edit file, and modify to your needs.”



From: Tony White 
Sent: Thursday, July 17, 2014 4:55 AM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] Re: Firewall

A Heads Up warning on this script...
It is very good BUT if you use non standard ports
for anything make sure you account for them
before you load this thing up.

Thanks Dave.


best wishes
  Tony White


On 17/07/2014 06:33, M wrote:

  corrected typo

  cp /etc/rc.d/firewall.ruleset /etc.rc.d/firewall.org 

  Should be
  cp /etc/rc.d/firewall.ruleset /etc/rc.d/firewall.org



  On 7/16/2014 1:02 PM, M wrote:

Hi list, recently i had a request for a VM for one of our qmailers.

Subsequently , after deployment, we found the VM to be compromised, so 
hackers got in before I could secure the qmail VM.

I rebuilt the VM, and added " My " firewall rules , and sent it off again. 
No probs this time.
I was asked if they could share the firewall rules, No probs, but I looked 
for a way to block by country.

Here is what I found, and modified for our qmail needs ( rules etc )
Thanks go to the original script writer, I merely modified it.

Firewall script , so you can block specific countries, eg China ( ISO cn ) 
working as of July 16th 2014

***No offense meant to any countries listed here, for demo purposes only***

Do a ISO country code look up for your needs

Tested on qmail-Centos5, and qmail-Centos6.

Should work an other iptables type firewalls

Install & Setup.
*** Backup your existing firewall script. ***
Centos5 qmail install ( cp /etc/rc.d/firewall.ruleset 
/etc.rc.d/firewall.org )
Centos6 qmail install ( cp /etc/sysconfig/iptables 
/etc/sysconfig/iptables.org )

copy script to your server, make executable ( chmod +x country_block.sh )
Edit file, and modify to your needs.
specific areas
ISO="af cn kr" 
# Set your own ports you need , these are set for a standard qmail 
install..remove 3306 if you dont do database sync`s
ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306
#Set your subnet 
ALLOWSUBNET=192.168.0.0/255.255.0.0


Run script
./country_block.sh
Wait until complete.
check it added the rules,  iptables -L -n, you should see a whole bunch of 
" countrydrop " lines

Centos 5 Qmail installs
Save iptables to your /etc/rc.d/firewall.ruleset
/sbin/iptables-save > /etc/rc.d/firewall.ruleset

Stop and start firewall 
firewall down
firewall up
Check again iptables -L -n

Centos 6 Qmail installs
Save iptables to your /etc/sysconfig/iptables
/sbin/iptables-save > /etc/sysconfig/iptables

Some say this may cause slowness on the email server, I have not found that 
to be the case.
Based on  " My ruleset " ( thousands of entries ) I have been running the 
rules for years.

Dave M

Re: [qmailtoaster] Re: Firewall

[M]

Hi eric
I cant see why not, just remember that users " may " still need to 
modify if they have non standard ports ,

like me for ssh etc.


Is this suitable to replace the firewall.sh script and become the 
'stock' QMT firewall?





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Firewall

[Tony White]

Hi Eric,
  That is exactly what I have done with it.
So yes, IMHO it is.

FYI Dan I am getting 4 emails in my inbox again.

best wishes
  Tony White


On 18/07/2014 05:39, Eric Shubert wrote:

On 07/16/2014 12:02 PM, M wrote:

Hi list*, *recently**i had a request for a VM for one of our qmailers.

Subsequently , after deployment, we found the VM to be compromised, so
hackers got in before I could secure the qmail VM.

I rebuilt the VM, and added " My " firewall rules , and sent it off
again. No probs this time.
I was asked if they could share the firewall rules, No probs, but I
looked for a way to block by country.

Here is what I found, and modified for our qmail needs ( rules etc )
Thanks go to the original script writer, I merely modified it.

Firewall script , so you can block specific countries, eg China ( ISO cn
) working as of July 16th 2014
*
***No offense meant to any countries listed here, for demo purposes
only**

Do a ISO country code look up for your needs

*Tested on qmail-Centos5, and qmail-Centos6.*

Should work an other iptables type firewalls

*Install & Setup.*
* Backup your existing firewall script. ***
Centos5 qmail install ( *cp /etc/rc.d/firewall.ruleset
/etc.rc.d/firewall.org***)
Centos6 qmail install ( *cp /etc/sysconfig/iptables
/etc/sysconfig/iptables.org* )

copy script to your server, make executable ( *chmod +x country_block.sh* )
*Edit file, and modify to your needs.*
specific areas
*ISO="af cn kr" *
# Set your own ports you need , these are set for a standard qmail
install..remove 3306 if you dont do database sync`s
*ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306
#Set your subnet
ALLOWSUBNET=192.168.0.0/255.255.0.0*


Run script
*./country_block.sh*
Wait until complete.
check it added the rules, *iptables -L -n*, you should see a whole bunch
of " countrydrop " lines

_*Centos 5 Qmail installs*_
Save iptables to your /etc/rc.d/firewall.ruleset
*/sbin/iptables-save > /etc/rc.d/firewall.ruleset*

Stop and start firewall
*firewall down**
**firewall up*
Check again *iptables -L -n*

_*Centos 6 Qmail installs*_
Save iptables to your /etc/sysconfig/iptables
*/sbin/iptables-save > /etc/sysconfig/iptables*

Some say this may cause slowness on the email server, I have not found
that to be the case.
Based on  " My ruleset " ( thousands of entries ) I have been running
the rules for years.

Dave M





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



Is this suitable to replace the firewall.sh script and become the 'stock' QMT 
firewall?




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Firewall

[M]

Hi Eric,

I looked at the mirrors directory structure, and don not really see a 
place there for the firewall script.

what about adding ot to git hub , maybe here
https://github.com/QMailToaster/qmailtoaster-util


On 7/18/2014 3:40 PM, Eric Shubert wrote:

On 07/18/2014 01:32 PM, M wrote:

Well, I contacted ipdeny.com
Here is their updated Fair Use Policy


  *IP*deny fair Usage Limits policy

Last reviewed: March 4, 2012

In order to offer equal and quality service to all public users
IPDENY.COM has implemented fair usage limits policy with the following
resource download limits:

  * no more than 5000 zone downloads per day per IP
  * no more than 5 concurrent connections per IP
  * we suggest doing a wait for 0.5 to 1 second between each request

We do not impose any hard limits and we do understand that sometimes you
need to fetch files more often due to your script testing or anything
similar. This policy was created for "bad people" who are abusing our
service.

By using IPDENY.COM web site and data you also agree to our Terms of
Service  (TOS) and that you are familiar with
our Copyright notice  and Privacy
Policy .


*As their are only 243 zone files*, then that does not break their 5000
zone limit.

I have the zones again, and zipped them up if any one wants them,  or
admins can I add to an email here, the file size is only 308kb

let me know if I can post the zip file here as an attachment

Dave M




If it fits their fair use policy, would it be appropriate to put it on 
the mirrors? If so, how might it fit into the directory structure there?


Thanks.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Firewall

[Madd Macc]

i would guess as the zone files are country IPs  it would not change very
often at all

dave m
 On Jul 24, 2014 12:26 PM, "Eric Shubert"  wrote:

> On 07/21/2014 01:27 PM, M wrote:
>
>> Hi Eric,
>>
>> I looked at the mirrors directory structure, and don not really see a
>> place there for the firewall script.
>> what about adding ot to git hub , maybe here
>> https://github.com/QMailToaster/qmailtoaster-util
>>
>>
>> On 7/18/2014 3:40 PM, Eric Shubert wrote:
>>
>>> On 07/18/2014 01:32 PM, M wrote:
>>>
 Well, I contacted ipdeny.com
 Here is their updated Fair Use Policy


   *IP*deny fair Usage Limits policy

 Last reviewed: March 4, 2012

 In order to offer equal and quality service to all public users
 IPDENY.COM has implemented fair usage limits policy with the following
 resource download limits:

   * no more than 5000 zone downloads per day per IP
   * no more than 5 concurrent connections per IP
   * we suggest doing a wait for 0.5 to 1 second between each request

 We do not impose any hard limits and we do understand that sometimes you
 need to fetch files more often due to your script testing or anything
 similar. This policy was created for "bad people" who are abusing our
 service.

 By using IPDENY.COM web site and data you also agree to our Terms of
 Service  (TOS) and that you are familiar
 with
 our Copyright notice  and Privacy
 Policy .


 *As their are only 243 zone files*, then that does not break their 5000
 zone limit.

 I have the zones again, and zipped them up if any one wants them,  or
 admins can I add to an email here, the file size is only 308kb

 let me know if I can post the zip file here as an attachment

 Dave M




  If it fits their fair use policy, would it be appropriate to put it on
>>> the mirrors? If so, how might it fit into the directory structure there?
>>>
>>> Thanks.
>>>
>>>
>>
>> -
>>
>
> That sounds appropriate to me for the script.
>
> What about the zone files though? How often do those change? Should there
> perhaps be a freshclam or sa-update sort of thing for keeping the zone
> files up to date?
>
>
> --
> -Eric 'shubes'
>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>

[qmailtoaster] Re: firewall rules

[Eric Shubert]

On 05/31/2011 08:34 AM, Cecil Yother, Jr. wrote:

IIRC you can close 20 and 21 (FTP), 23 (Telnet), 43 (whois), 123 (NTP).
This is of course unless you use any of these services.


To be a little clearer, you can close these ports so long as you don't 
*serve* these services. For example, you can close port 123 (NTP) and 
still use ntpd as an ntp client to keep time on the server. You'd only 
need to open the port if you're providing ntp services to other clients 
(as a server). This is provided you have a rule that allows established 
sessions to pass the firewall, which you should.



FTP can be moved
to a non standard port and will decrease attacks by 99%.


If you need to provide ftp services, use of non-standard ports is highly 
recommended. You shouldn't need to run an ftp server on QMT, unless 
you're hosting a web site as well and need to allow a way for developers 
to update the web site.



953, 993, and
995 are for secure mail transport.


Not quite right. 953 appears to be for bind 9, which you shouldn't need. 
Running an authoritative domain name server on QMT is not recommended.


Port 993 is for imap-ssl and 995 is for pop3-ssl, both of which you 
probably want to have open. They're not necessarily required though, 
depending on if your users might need them or not.


--
-Eric 'shubes'


On 05/31/2011 09:21 AM, sysad...@tricubemedia.com wrote:

Hi Guys, trying to tighten up the qmail server more:
Can I close any of these ports: not sure waht they may be needed for:
tcp dpt:20
tcp dpt:21
tcp dpt:23
tcp dpt:43
udp dpt:123
tcp dpt:953
udp dpt:953
tcp dpt:993
tcp dpt:995
Thanks all
madmac


--
Cecil Yother, Jr. "cj"
cj's
2318 Clement Ave
Alameda, CA  94501

tel 510.865.2787 |http://yother.com
Check out the new Volvo classified resourcehttp://www.volvoclassified.com





-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: firewall rules

[Eric Shubert]

On 05/31/2011 04:58 PM, Cecil Yother, Jr. wrote:



On 05/31/2011 03:29 PM, Eric Shubert wrote:

On 05/31/2011 08:34 AM, Cecil Yother, Jr. wrote:

IIRC you can close 20 and 21 (FTP), 23 (Telnet), 43 (whois), 123 (NTP).
This is of course unless you use any of these services.


To be a little clearer, you can close these ports so long as you don't
*serve* these services. For example, you can close port 123 (NTP) and
still use ntpd as an ntp client to keep time on the server. You'd only
need to open the port if you're providing ntp services to other
clients (as a server). This is provided you have a rule that allows
established sessions to pass the firewall, which you should.


FTP can be moved
to a non standard port and will decrease attacks by 99%.


If you need to provide ftp services, use of non-standard ports is
highly recommended. You shouldn't need to run an ftp server on QMT,
unless you're hosting a web site as well and need to allow a way for
developers to update the web site.


953, 993, and
995 are for secure mail transport.


Not quite right. 953 appears to be for bind 9, which you shouldn't
need. Running an authoritative domain name server on QMT is not
recommended.

Port 993 is for imap-ssl and 995 is for pop3-ssl, both of which you
probably want to have open. They're not necessarily required though,
depending on if your users might need them or not.


I guess I did OK from memory...



Yes you did. My memory's not that good any more (as if it ever was), so 
I need to look things up, repeatedly. ;)


--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: firewall rules

[Cecil Yother, Jr.]

On 05/31/2011 03:29 PM, Eric Shubert wrote:

On 05/31/2011 08:34 AM, Cecil Yother, Jr. wrote:

IIRC you can close 20 and 21 (FTP), 23 (Telnet), 43 (whois), 123 (NTP).
This is of course unless you use any of these services.


To be a little clearer, you can close these ports so long as you don't 
*serve* these services. For example, you can close port 123 (NTP) and 
still use ntpd as an ntp client to keep time on the server. You'd only 
need to open the port if you're providing ntp services to other 
clients (as a server). This is provided you have a rule that allows 
established sessions to pass the firewall, which you should.



FTP can be moved
to a non standard port and will decrease attacks by 99%.


If you need to provide ftp services, use of non-standard ports is 
highly recommended. You shouldn't need to run an ftp server on QMT, 
unless you're hosting a web site as well and need to allow a way for 
developers to update the web site.



953, 993, and
995 are for secure mail transport.


Not quite right. 953 appears to be for bind 9, which you shouldn't 
need. Running an authoritative domain name server on QMT is not 
recommended.


Port 993 is for imap-ssl and 995 is for pop3-ssl, both of which you 
probably want to have open. They're not necessarily required though, 
depending on if your users might need them or not.



I guess I did OK from memory...

--
Cecil Yother, Jr. "cj"
cj's
2318 Clement Ave
Alameda, CA  94501

tel 510.865.2787 | http://yother.com
Check out the new Volvo classified resource http://www.volvoclassified.com


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: firewall rules

[sysadmin]

Again ,
thanks guys,

I left Port 993 imap-ssl and 995 pop3-ssl, just incase users have a need in 
the future.

Thanks

madmac


- Original Message - 
From: "Eric Shubert" 

To: 
Sent: Tuesday, May 31, 2011 5:37 PM
Subject: [qmailtoaster] Re: firewall rules



On 05/31/2011 04:58 PM, Cecil Yother, Jr. wrote:



On 05/31/2011 03:29 PM, Eric Shubert wrote:

On 05/31/2011 08:34 AM, Cecil Yother, Jr. wrote:

IIRC you can close 20 and 21 (FTP), 23 (Telnet), 43 (whois), 123 (NTP).
This is of course unless you use any of these services.


To be a little clearer, you can close these ports so long as you don't
*serve* these services. For example, you can close port 123 (NTP) and
still use ntpd as an ntp client to keep time on the server. You'd only
need to open the port if you're providing ntp services to other
clients (as a server). This is provided you have a rule that allows
established sessions to pass the firewall, which you should.


FTP can be moved
to a non standard port and will decrease attacks by 99%.


If you need to provide ftp services, use of non-standard ports is
highly recommended. You shouldn't need to run an ftp server on QMT,
unless you're hosting a web site as well and need to allow a way for
developers to update the web site.


953, 993, and
995 are for secure mail transport.


Not quite right. 953 appears to be for bind 9, which you shouldn't
need. Running an authoritative domain name server on QMT is not
recommended.

Port 993 is for imap-ssl and 995 is for pop3-ssl, both of which you
probably want to have open. They're not necessarily required though,
depending on if your users might need them or not.


I guess I did OK from memory...



Yes you did. My memory's not that good any more (as if it ever was), so I 
need to look things up, repeatedly. ;)


--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)

   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and 
packages.

To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com