Thanks for the amazing cronjob advice. On Tue, Jun 29, 2010 at 4:26 PM, Steve Edwards <[email protected]>wrote:
> On Tue, 29 Jun 2010, bruce bruce wrote: > > Thanks for that Steve. This works. However, what if I do this (would I >> block myself from SSH 22): >> -------------------------------------------------------------- >> sudo iptables\ >> --append INPUT\ >> --match tcp\ >> --protocol tcp\ >> --dport 22\ >> --source 0.0.0.0\ >> --jump ACCEPT >> -------------------------------------------------------------- >> sudo iptables\ >> --append INPUT\ >> --source 87.230.90.0/24\ <http://87.230.90.0/24%5C> >> --jump DROP >> >> -------------------------------------------------------------- >> >> Will that block all other traffic to the server and only allow SSH 22? I >> don't want to block myself out and it's very important because this is a >> remote server. If you can confirm above then I can add the legit IPs one by >> one after that I guess. >> > > I'm not a fan of executing iptables from the command line, nor am I an > iptables expert. > > A very simple /etc/sysconfig/iptables would look like: > > *filter > :INPUT DROP [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > > # established connections > --append INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT > > # accept SSH from bruce bruce > --append INPUT --match tcp --protocol tcp --dport 22 --source a.b.c.d > --jump ACCEPT > > # log everything else > --append INPUT --protocol all --jump LOG > > # drop everything else > --append INPUT --protocol all --jump DROP > > COMMIT > > This should get you started. > > Any time you are fiddling with iptables, it would be prudent to add > something like this to root's crontab: > > # Min hour DOM month DOW command > */05 * * * * /etc/init.d/iptables stop > > In case you "blow it," you can get back in within 5 minutes. > > -- > Thanks in advance, > ------------------------------------------------------------------------- > Steve Edwards [email protected] Voice: +1-760-468-3867 PST > Newline Fax: +1-760-731-3000 > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-biz mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-biz >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
