[rlug] Re: IPCHAINS -- regula sshd

Ionut MURGOCI Tue, 12 Sep 2000 05:53:32 -0700

  Si cum iti explici faptul ca telnet, smtp, dns .. si asa mai departe
merg ? si ieri merea ?

On Tue, 12 Sep 2000, Mircea Ciocan wrote:

>       Eh, paketele alea de SYN pe care le-ai blocat, te vor proteja la SYN
> flood, si de asemenea-i vor proteja pe altii sa se conecteze la tine :).
> Incearca cu syn-cookies ca mijloc amarit de protectie ( e cam tot ce
> poti face daca ai un port deschis) si lasa bietele packete sa vina la
> tine ca altfel nu se va putea conecta nimeni.
> 
>                               Mircea C.
>                       
> 
> Ionut MURGOCI wrote:
> > 
> >   Salut, am si eu o problema cu regulile la sshd. Mi-am facut un firewall,
> > tot ce vreau merge bine inafara de sshd. Daca un user da ssh din afara
> > il rejecteaza, iar daca dau ssh din inauntru in afara merge.
> > Regulile sunt urmatoarele :
> > Mai intai :
> > default policy pt input si output e reject - si asa tre sa ramana
> > apoi reguli pt ssh client si server :
> > ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE
> > $UNPRIVPORTS
> > -d $ANYWHERE 22 -j ACCEPT
> > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 22
> > -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
> > ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $SSH_PORTS
> > -d $ANYWHERE 22 -j ACCEPT
> > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 22
> > -d $ANYWHERE $SSH_PORTS -j ACCEPT
> > ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 22 -j ACCEPT
> > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -d $ANYWHERE 22 -j ACCEPT
> > 
> >  Unde:
> > ANYWHERE="any/0"
> > PRIVPORTS="0:1023"
> > UNPRIVPORTS="1024:65535"
> > SSH_PORTS="1022:1023"
> > 
> >   Puteti sa-mi ziceti si mie unde-i baiu' ca mie mi se par corecte
> > regulile pt server.
> > Thx!
> > 
> > --
> > ----------------------------------------------------------
> > Imagination is the only weapon in the war against reality.
> > Sysadmin - Computer Science Highschool - IASI  *
> > 
> > ---
> > Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to
> > unsubscribe from this list.
> 
> ---
> Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to 
> unsubscribe from this list.
> 

-- 
----------------------------------------------------------
Imagination is the only weapon in the war against reality.
Sysadmin - Computer Science Highschool - IASI  *


---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to 
unsubscribe from this list.
[rlug] Re: IPCHAINS -- regula sshd

Raspunde prin e-mail lui
