thanks all, as I hadn't completed the install at that point, I also hadnt copied in my special firewall rules : )
Thanks for the reminders. My centos7 install will be live with one test domain tomorrow Cheers Dave M On Apr 3, 2015 4:53 PM, "DNK" <[email protected]> wrote: > I have a mgmt machine to connect to all my servers. Then I access that > mgmt machine VIA SSH W/ Keys and a passphrase. 2 factor authentication is > going to be layered on as well. > > -- > DNK > > On April 3, 2015 at 3:08:50 PM, Cecil Yother, Jr. ([email protected]) wrote: > > yet another tip. > > Isolate your ip in iptables like so > > -A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT > > using non-standard port replacing the private ip with your public IP > address. > > The only problem with this approach is accessing it from the road where > your IP is changing. > > > > On 04/03/2015 11:41 AM, Hasan Akgöz wrote: > > second tip ; > > It does this by using simple Access List Rules which are included in the > two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by > placing the following inside /etc/hosts.allow: > > /etc/hosts.allow > sshd: 1.2.3.0/255.255.255.0 ( 1.2.3.0 secure network ) > > Then disallow all further access by placing this in /etc/hosts.deny: > > /etc/hosts.deny > sshd: ALL > > third tip : > > Change the absolute ssh port. For example 2122 . > > > > > 2015-04-03 17:01 GMT+03:00 Dan McAllister <[email protected]>: > >> On 4/2/2015 5:20 PM, Dave M wrote: >> >> This should make you smile >> >> I have just this minute finished an install of Centos7 to prepare for the >> qmail-toaster install. >> >> After the first update , and reboot, I logged in via ssh >> >> Up pops the security message: >> >> *There were 249 failed login attempts since the last successful login.* >> >> Thankfully the default firewall took care of them >> >> Just be careful doing installs with live external IP, and disabling the >> firewall until you are done >> >> Made me laugh : ) >> >> >> Just a tip -- >> >> Instead of leaving your SSH port open, put a connection limit on it: >> >> The following entries are from an iptables config file: >> >> -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT >> -A INPUT -p tcp --dport 22 -j DROP >> >> You can fail your login attempt twice per minute, then you're dropped for >> the remainder of the minute. >> In most cases, they fail the login twice in like a 10-second period, fail >> a few more times (with unsuccessful connections this time) and finally quit >> -- blissfully unaware that they could try 2 more times in 60 seconds. >> >> The point is, if you're just fat-fingering your SSH password, no worries >> - wait 60 seconds.... >> But if you're trying a brute-force attack, good luck -- instead of >> hundreds of tries per minute, you now get just 2... >> >> Needless to say, you can adjust to your own recipe... >> >> Dan McAllister >> IT4SOHO >> >> >> -- >> IT4SOHO, LLC >> 33 - 4th Street N, Suite 211 >> St. Petersburg, FL 33701-3806 >> >> CALL TOLL FREE: >> 877-IT4SOHO >> >> 877-484-7646 Phone >> 727-647-7646 Local >> 727-490-4394 Fax >> >> We have support plans for QMail! >> >> >> > > -- > >
part3.03020200.06070905@yother
Description: Binary data
