-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/09/12 10:10, Anne Wilson wrote: > On 31/08/12 23:16, Deri James wrote: >> On Friday 31 Aug 2012 22:42:26 Thomas Backlund wrote: >>> Why not simply have sshd listen on 2 ports and skip need for >>> port forwarding? >>> > Thanks, Thomas and Deri. >>> >>> Just uncomment the "Port 22" line in /etc/ssh/sshd_config and >>> add a second line with the second port >>> >>> so it would look like >>> >>> Port 22 Port 5122 >>> >>> and restart sshd >>> >>> with this all access that expects port 22 will continue to >>> work, and you can also access it through the new 5122 port. >>> >>> Simple and effective, and no portforwarding needed. >>> > Done > >> And add 5122/tcp to the "Advanced" tab in MCC -> Security -> >> Personal Firewall (if you are using a personal firewall). > > Also done > >> If the server is accessible from the internet I would recommend >> some further changes to sshd_conf. This is what I use (assuming >> this is a server for personal use, not with hundreds of users >> connecting):- > >> ================================================= > >> LoginGraceTime 120 > > Was 2m - I assume that is minutes and you gave seconds. Changed > it anyway > >> PermitRootLogin no > >> TCPKeepAlive yes > > Both already set > >> AllowUsers ->your user name here<- MaxStartups 2:90:4 > >> ================================================== > >> The "MaxStartups" parameter deters the script kiddies trying to >> guess the password:- > > >> MaxStartups ======== > >> Specifies the maximum number of concurrent unauthenticated >> connections to the SSH daemon. Additional connections will be >> dropped until authentication succeeds or the LoginGraceTime >> expires for a connection. The default is 10. > >> Alternatively, random early drop can be enabled by specifying the >> three colon separated values “start:rate:full” (e.g. >> "10:30:60"). sshd(8) will refuse connection attempts with a >> probability of “rate/100” (30%) if there are currently “start” >> (10) unauthenticated connections. The probability increases >> linearly and all connection attempts are refused if the number of >> unauthenticated connections reaches “full” (60). > > Done. Also fail2ban is installed, which should give another layer > of protection. I've used that for ~3 years, and in that time only > seen 3-4 times when it had to work, but work it did :-) > > Unfortunately, after adding the IMAP high port to shorewall and > telling dovecot to listen to that port, I still can't get my > Roaming mail profile to work. I'll have to explore more later > today. > > Thanks for the help so far. > Just to confirm - the IMAP forwarding still isn't working, so I have to explore further on that but ssh is working.
Anne - -- Need KDE help? Try http://userbase.kde.org or http://forum.kde.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlBCVboACgkQj93fyh4cnBdWygCfe8BAki5aJnUk4RtqNHTrZvFH N5wAnR/lxpt0xKsX2+kbZ+ITtcbwwdsT =Nv9n -----END PGP SIGNATURE-----
