1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-discuss] Setting up a port forward
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20Setting%20up%20a%20port%20forward&In-Reply-To=%3C5041D118.7090805%40kde.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="008648.html">
<LINK REL="Next" HREF="008656.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-discuss] Setting up a port forward</H1>
<B>Anne Wilson</B>
<A HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20Setting%20up%20a%20port%20forward&In-Reply-To=%3C5041D118.7090805%40kde.org%3E"
TITLE="[Mageia-discuss] Setting up a port forward">annew at kde.org
</A><BR>
<I>Sat Sep 1 11:10:48 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="008648.html">[Mageia-discuss] Setting up a port forward
</A></li>
<LI>Next message: <A HREF="008656.html">[Mageia-discuss] Setting up a port forward
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#8653">[ date ]</a>
<a href="thread.html#8653">[ thread ]</a>
<a href="subject.html#8653">[ subject ]</a>
<a href="author.html#8653">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 31/08/12 23:16, Deri James wrote:
><i> On Friday 31 Aug 2012 22:42:26 Thomas Backlund wrote:
</I>>><i> Why not simply have sshd listen on 2 ports and skip need for
</I>>><i> port forwarding?
</I>>><i>
</I>Thanks, Thomas and Deri.
>><i>
</I>>><i> Just uncomment the "Port 22" line in /etc/ssh/sshd_config and add
</I>>><i> a second line with the second port
</I>>><i>
</I>>><i> so it would look like
</I>>><i>
</I>>><i> Port 22 Port 5122
</I>>><i>
</I>>><i> and restart sshd
</I>>><i>
</I>>><i> with this all access that expects port 22 will continue to work,
</I>>><i> and you can also access it through the new 5122 port.
</I>>><i>
</I>>><i> Simple and effective, and no portforwarding needed.
</I>>><i>
</I>Done
><i> And add 5122/tcp to the "Advanced" tab in MCC -> Security ->
</I>><i> Personal Firewall (if you are using a personal firewall).
</I>><i>
</I>Also done
><i> If the server is accessible from the internet I would recommend
</I>><i> some further changes to sshd_conf. This is what I use (assuming
</I>><i> this is a server for personal use, not with hundreds of users
</I>><i> connecting):-
</I>><i>
</I>><i> =================================================
</I>><i>
</I>><i> LoginGraceTime 120
</I>
Was 2m - I assume that is minutes and you gave seconds. Changed it anyway
><i> PermitRootLogin no
</I>><i>
</I>><i> TCPKeepAlive yes
</I>><i>
</I>Both already set
><i> AllowUsers ->your user name here<- MaxStartups 2:90:4
</I>><i>
</I>><i> ==================================================
</I>><i>
</I>><i> The "MaxStartups" parameter deters the script kiddies trying to
</I>><i> guess the password:-
</I>><i>
</I>><i>
</I>><i> MaxStartups ========
</I>><i>
</I>><i> Specifies the maximum number of concurrent unauthenticated
</I>><i> connections to the SSH daemon. Additional connections will be
</I>><i> dropped until authentication succeeds or the LoginGraceTime expires
</I>><i> for a connection. The default is 10.
</I>><i>
</I>><i> Alternatively, random early drop can be enabled by specifying the
</I>><i> three colon separated values “start:rate:full” (e.g. "10:30:60").
</I>><i> sshd(8) will refuse connection attempts with a probability of
</I>><i> “rate/100” (30%) if there are currently “start” (10)
</I>><i> unauthenticated connections. The probability increases linearly and
</I>><i> all connection attempts are refused if the number of
</I>><i> unauthenticated connections reaches “full” (60).
</I>><i>
</I>Done. Also fail2ban is installed, which should give another layer of
protection. I've used that for ~3 years, and in that time only seen
3-4 times when it had to work, but work it did :-)
Unfortunately, after adding the IMAP high port to shorewall and
telling dovecot to listen to that port, I still can't get my Roaming
mail profile to work. I'll have to explore more later today.
Thanks for the help so far.
Anne
- --
Need KDE help? Try
<A HREF="http://userbase.kde.org">http://userbase.kde.org</A> or
<A HREF="http://forum.kde.org">http://forum.kde.org</A>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - <A HREF="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</A>
iEYEARECAAYFAlBB0Q8ACgkQj93fyh4cnBcQigCfRwIxl7J7KMPepl+v4uSyW8HU
Ge4An2h/UIKMlrnC/f7b8j0dlyBdT+xE
=TKtn
-----END PGP SIGNATURE-----
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="008648.html">[Mageia-discuss] Setting up a port forward
</A></li>
<LI>Next message: <A HREF="008656.html">[Mageia-discuss] Setting up a port forward
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#8653">[ date ]</a>
<a href="thread.html#8653">[ thread ]</a>
<a href="subject.html#8653">[ subject ]</a>
<a href="author.html#8653">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-discuss">More information about the Mageia-discuss
mailing list</a><br>
</body></html>
|
