-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31/08/12 23:16, Deri James wrote: > On Friday 31 Aug 2012 22:42:26 Thomas Backlund wrote: >> Why not simply have sshd listen on 2 ports and skip need for >> port forwarding? >> Thanks, Thomas and Deri. >> >> Just uncomment the "Port 22" line in /etc/ssh/sshd_config and add >> a second line with the second port >> >> so it would look like >> >> Port 22 Port 5122 >> >> and restart sshd >> >> with this all access that expects port 22 will continue to work, >> and you can also access it through the new 5122 port. >> >> Simple and effective, and no portforwarding needed. >> Done
> And add 5122/tcp to the "Advanced" tab in MCC -> Security -> > Personal Firewall (if you are using a personal firewall). > Also done > If the server is accessible from the internet I would recommend > some further changes to sshd_conf. This is what I use (assuming > this is a server for personal use, not with hundreds of users > connecting):- > > ================================================= > > LoginGraceTime 120 Was 2m - I assume that is minutes and you gave seconds. Changed it anyway > PermitRootLogin no > > TCPKeepAlive yes > Both already set > AllowUsers ->your user name here<- MaxStartups 2:90:4 > > ================================================== > > The "MaxStartups" parameter deters the script kiddies trying to > guess the password:- > > > MaxStartups ======== > > Specifies the maximum number of concurrent unauthenticated > connections to the SSH daemon. Additional connections will be > dropped until authentication succeeds or the LoginGraceTime expires > for a connection. The default is 10. > > Alternatively, random early drop can be enabled by specifying the > three colon separated values “start:rate:full” (e.g. "10:30:60"). > sshd(8) will refuse connection attempts with a probability of > “rate/100” (30%) if there are currently “start” (10) > unauthenticated connections. The probability increases linearly and > all connection attempts are refused if the number of > unauthenticated connections reaches “full” (60). > Done. Also fail2ban is installed, which should give another layer of protection. I've used that for ~3 years, and in that time only seen 3-4 times when it had to work, but work it did :-) Unfortunately, after adding the IMAP high port to shorewall and telling dovecot to listen to that port, I still can't get my Roaming mail profile to work. I'll have to explore more later today. Thanks for the help so far. Anne - -- Need KDE help? Try http://userbase.kde.org or http://forum.kde.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlBB0Q8ACgkQj93fyh4cnBcQigCfRwIxl7J7KMPepl+v4uSyW8HU Ge4An2h/UIKMlrnC/f7b8j0dlyBdT+xE =TKtn -----END PGP SIGNATURE-----
