[Mageia-discuss] Setting up a port forward

Sat Sep 1 20:36:52 CEST 2012

-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+On 01/09/12 10:10, Anne Wilson wrote:
+> On 31/08/12 23:16, Deri James wrote:
+>> On Friday 31 Aug 2012 22:42:26 Thomas Backlund wrote:
+>>> Why not simply have sshd listen on 2 ports and skip need for
+>>> port forwarding?
+>>> 
+> Thanks, Thomas and Deri.
+>>> 
+>>> Just uncomment the "Port 22" line in /etc/ssh/sshd_config and 
+>>> add a second line with the second port
+>>> 
+>>> so it would look like
+>>> 
+>>> Port 22 Port 5122
+>>> 
+>>> and restart sshd
+>>> 
+>>> with this all access that expects port 22 will continue to
+>>> work, and you can also access it through the new 5122 port.
+>>> 
+>>> Simple and effective, and no portforwarding needed.
+>>> 
+> Done
+> 
+>> And add 5122/tcp to the "Advanced" tab in MCC -> Security -> 
+>> Personal Firewall (if you are using a personal firewall).
+> 
+> Also done
+> 
+>> If the server is accessible from the internet I would recommend 
+>> some further changes to sshd_conf. This is what I use (assuming 
+>> this is a server for personal use, not with hundreds of users 
+>> connecting):-
+> 
+>> =================================================
+> 
+>> LoginGraceTime 120
+> 
+> Was 2m - I assume that is minutes and you gave seconds.  Changed
+> it anyway
+> 
+>> PermitRootLogin no
+> 
+>> TCPKeepAlive yes
+> 
+> Both already set
+> 
+>> AllowUsers ->your user name here<- MaxStartups 2:90:4
+> 
+>> ==================================================
+> 
+>> The "MaxStartups" parameter deters the script kiddies trying to 
+>> guess the password:-
+> 
+> 
+>> MaxStartups ========
+> 
+>> Specifies the maximum number of concurrent unauthenticated 
+>> connections to the SSH daemon. Additional connections will be 
+>> dropped until authentication succeeds or the LoginGraceTime 
+>> expires for a connection. The default is 10.
+> 
+>> Alternatively, random early drop can be enabled by specifying the
+>>  three colon separated values “start:rate:full” (e.g.
+>> "10:30:60"). sshd(8) will refuse connection attempts with a
+>> probability of “rate/100” (30%) if there are currently “start”
+>> (10) unauthenticated connections. The probability increases
+>> linearly and all connection attempts are refused if the number of
+>>  unauthenticated connections reaches “full” (60).
+> 
+> Done.  Also fail2ban is installed, which should give another layer 
+> of protection.  I've used that for ~3 years, and in that time only 
+> seen 3-4 times when it had to work, but work it did :-)
+> 
+> Unfortunately, after adding the IMAP high port to shorewall and 
+> telling dovecot to listen to that port, I still can't get my
+> Roaming mail profile to work.  I'll have to explore more later
+> today.
+> 
+> Thanks for the help so far.
+> 
+Just to confirm - the IMAP forwarding still isn't working, so I have to
+explore further on that but ssh is working.
+
+Anne
+- -- 
+Need KDE help? Try
+http://userbase.kde.org or
+http://forum.kde.org
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
+
+iEYEARECAAYFAlBCVboACgkQj93fyh4cnBdWygCfe8BAki5aJnUk4RtqNHTrZvFH
+N5wAnR/lxpt0xKsX2+kbZ+ITtcbwwdsT
+=Nv9n
+-----END PGP SIGNATURE-----
+