Dan, citeste-mi tot mesaju eu ziceam ca doar am dat un exemplu si nu-i nevoie sa mi se spuna ca SSH SE POATE PUNE SI PE ALTE PORTURI dupa aia am dat un exemplu ca stiu sa pun si eu ssh pe alte porturi de ce nu citesti tot ce scrie omu?
Tuesday, October 14, 2003, 5:30:45 PM, you wrote: DU> n-ai inteles, mai citeste o data mesajul initial. el vrea sa taie DU> accesul pe ssh oricui din retea catre orice server de ssh din afara, DU> indiferent de portul pe care ruleaza. in cazul asta pe tine nu te DU> intereseaza /etc/ssh?/sshd_config pentru ca nu ai acces la el. nu ai cum DU> sa tai in functie de porturi. DU> cititi nene cu atentie mesajele, nu va repeziti sa raspundeti la DU> problema inversa celei puse. DU> "Live to Win, Dare to Fail" - James Hetfield >> stiu, era doar un exemplu ce am dat eu >> nu-i nevoie sa sariti imediat >> ca daca stiu sa scriu 3 linii in iptables poate stiu si sa modific un >> cacat de port in /etc/ssh2/sshd_config >> >> sau sa ii dau direct la server sa porneasca cu parametru -q port >> de exemplu /usr/sbin/sshd -q 1234 >> >> Tuesday, October 14, 2003, 5:12:07 PM, you wrote: >> >> DU> nu toate serverele de ssh ruleaza pe portul 22. eu de exemplu am >> DU> instalat azi unul pe portul 57233 iar miine o sa il mut pe 23581. >> DU> nu ai cum sa filtrezi ceva variabil, trebuie sa te legi de DU> continutul >> DU> pachetelor care initializeaza conexiunea. >> >> >> iptables -A FORWARD -p tcp --dport 22 -j DROP >> >> iptables -I FORWARD -s ip_care_are_voi_1 --dport 22 -j ACCEPT >> >> iptables -I FORWARD -s ip_care_are_voi_2 --dport 22 -j ACCEPT >> >> iptables -I FORWARD -s ip_care_are_voi_3 --dport 22 -j ACCEPT >> >> iptables -I FORWARD -s ip_care_are_voi_4 --dport 22 -j ACCEPT >> >> iptables -I FORWARD -s ip_care_are_voi_5 --dport 22 -j ACCEPT >> >> iptables -I FORWARD -s ip_care_are_voi_6 --dport 22 -j ACCEPT >> >> iptables -I FORWARD -s ip_care_are_voi_7 --dport 22 -j ACCEPT >> >> ... >> >> >> >> si ai rezolvat problema >> >> nu se conecteaza pe 22 afara numai cei care au voie >> >> >> >> >> >> Tuesday, October 14, 2003, 5:00:20 PM, you wrote: >> >> >> >> IA> Nu vreau sa las pe oricine sa iasa din reteaua interna pe ssh >> DU> inspre alte >> >> IA> servere. >> >> >> >> IA> ----- Original Message ----- >> >> IA> From: "Knight" <[EMAIL PROTECTED]> >> >> IA> To: "Ioan Alin" <[EMAIL PROTECTED]> >> >> IA> Sent: Tuesday, October 14, 2003 5:54 PM >> >> IA> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> >> >> >> Ioan, >> >> >> >> >> >> adica tu nu vrei sa lasi pe oricine sa iasa din reteaua interna DU> pe >> DU> ssh >> >> >> inspre alte servere? >> >> >> sau nu vrei sa se poata comecta la tine la server pe ssh numai DU> de >> DU> la >> >> >> anumite ip-uri? >> >> >> >> >> >> Tuesday, October 14, 2003, 4:46:39 PM, you wrote: >> >> >> >> >> >> IA> Problema este ca nu stiu ip-ul destinatie (ar fi usor). Tot DU> ce >> DU> as vrea >> >> IA> este, >> >> >> IA> ca din router, sa tai clientii de ssh de pe ip-uri .(cand >> DU> cineva vrea >> >> IA> sa >> >> >> IA> faca o conexiune pe un server oarecare de ssh). >> >> >> >> >> >> IA> ----- Original Message ----- >> >> >> IA> From: "Radu" <[EMAIL PROTECTED]> >> >> >> IA> To: <[EMAIL PROTECTED]> >> >> >> IA> Sent: Wednesday, October 15, 2003 2:41 AM >> >> >> IA> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> >> >> >> >> >> >> Frate Alin, >> >> >> >> >> >> >> >> Din ce imi aduc aminte, dar nu sunt sigur, trebuie totusi DU> sa >> >> IA> verifici. >> >> >> >> Urmatoarele: >> >> >> >> Daca este router: >> >> >> >> iptables -A FORWARD -s <ip pe cine vrei sa arzi> -d >> DU> <ip-ul >> >> >> >> serverului ssh> -j DROP >> >> >> >> Daca vrei de pe un anume host sa nu permiti iesirea: >> >> >> >> iptables -A OUTPUT -d <ip-ul serverului ssh> -j DROP >> >> >> >> Chestiile de mai sus taie tot traficul catre serverul DU> respectiv. >> >> >> >> >> >> >> >> >> >> >> >> Cu plecaciuni, maestre. >> >> >> >> >> >> >> >> ----- Original Message ----- >> >> >> >> From: "Ioan Alin" <[EMAIL PROTECTED]> >> >> >> >> To: <[EMAIL PROTECTED]> >> >> >> >> Sent: Tuesday, October 14, 2003 7:32 AM >> >> >> >> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> > Pe mie m-ar interesa sa tai si toate iesirile catre un DU> server >> DU> de ssh >> >> >> >> .(orice >> >> >> >> > port, nu neaparat 22). >> >> >> >> > >> >> >> >> > ----- Original Message ----- >> >> >> >> > From: "Radu" <[EMAIL PROTECTED]> >> >> >> >> > To: <[EMAIL PROTECTED]> >> >> >> >> > Sent: Wednesday, October 15, 2003 2:29 AM >> >> >> >> > Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> > >> >> >> >> > >> >> >> >> > > Frate, nu este nici o problema. >> >> >> >> > > Ideea este cum s-ar putea face totusi cu nenorocitul ala DU> de >> DU> yahoo >> >> >> >> > > messenger... ca si pe mine ma streseaza treaba asta. >> >> >> >> > > Si nu am nici prea multe idei... in directia asta... >> >> >> >> > > Poate s-a ocupat cineva totusi... doar de blocarea lui DU> yahoo >> >> IA> messenger >> >> >> >> > ...? >> >> >> >> > > >> >> >> >> > > Radu. >> >> >> >> > > ----- Original Message ----- >> >> >> >> > > From: "Knight" <[EMAIL PROTECTED]> >> >> >> >> > > To: "Radu" <[EMAIL PROTECTED]> >> >> >> >> > > Sent: Tuesday, October 14, 2003 8:23 AM >> >> >> >> > > Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > > Radu, >> >> >> >> > > > >> >> >> >> > > > cred ca mia culpa >> >> >> >> > > > da de unde dracu am citit eu cu ipchains ca stiu sigur DU> ca >> DU> asa am >> >> >> IA> citit >> >> >> >> > > > what so ever >> >> >> >> > > > sorry >> >> >> >> > > > >> >> >> >> > > > Wednesday, October 15, 2003, 2:05:25 AM, you wrote: >> >> >> >> > > > >> >> >> >> > > > R> Frate Knight, >> >> >> >> > > > >> >> >> >> > > > R> Ar fi bine sa stai sa te uiti cu atentie la >> DU> threaduri. >> >> >> IA> Sarmanul >> >> >> >> > om >> >> >> >> > > > R> intrebase pentru iptables. Asa, de chestie doar, >> DU> uita-te in >> >> IA> urma >> >> >> IA> sa >> >> >> >> > > vezi ca >> >> >> >> > > > R> dai putin aiurea cu raspunsurile. Chestia cu DU> deschisul >> >> IA> ochilor... >> >> >> >> > este >> >> >> >> > > > R> foarte adevarata. Incepe chiar din primul mail.... >> >> >> >> > > > R> Din ratiuni de documentare... il listez mai DU> jos... >> DU> sper sa >> >> IA> nu >> >> >> >> te >> >> >> >> > > superi >> >> >> >> > > > R> pe mine, dar mi se pare ca scrie iptables. Stiu asta >> DU> pentru ca >> >> IA> am >> >> >> >> > > terminat >> >> >> >> > > > R> clasa I premiant... :)) >> >> >> >> > > > >> >> >> >> > > > R> Sa fi cuminte, >> >> >> >> > > > R> Radu. >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > >> >> >> >> > >> >> >> >> >> >> >> >> >> >> R>>>>> ------------------------------------------------------------------ DU> - >> DU> ----- >> >> IA> - >> >> >> >> > > -- >> >> >> >> > > > R> Salut, >> >> >> >> > > > >> >> >> >> > > > R> Am un script de firewall, facut cu iptables, DU> pe >> DU> un >> >> >> IA> gateway >> >> >> >> > care >> >> >> >> > > are >> >> >> >> > > > R> ca politica pe chain-ul forward "DROP" si DU> permite >> >> IA> userilor >> >> >> IA> din >> >> >> >> > > > R> reteua locala sa se conecteze, in internet, DU> doar >> DU> la >> >> >> IA> porturile >> >> >> >> > 80, >> >> >> >> > > 25, >> >> >> >> > > > R> 110. >> >> >> >> > > > R> Ideea mea ar fi ca lumea din reteua locala sa DU> nu >> DU> poata >> >> IA> iesi >> >> >> >> > decat >> >> >> >> > > pe >> >> >> >> > > > R> web si pe mail. >> >> >> >> > > > R> Problema apare cand ICQ sau YM foloseste DU> orice >> DU> port >> >> >> IA> pentru >> >> >> >> a >> >> >> >> > > se >> >> >> >> > > > R> conecta in exterior si se leaga la o DU> multitudine >> DU> de >> >> IA> adrese. >> >> >> >> > Astfel >> >> >> >> > > > R> din reteua locala se poate face chat in voie. >> >> >> >> > > > R> Imi poate spune cineva cum se rezolva DU> beleua >> DU> asta ? >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > R> -- >> >> >> >> > > > R> Multumesc anticipat, >> >> >> >> > > > R> Liviu >> DU> mailto:[EMAIL PROTECTED] >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > R> --- >> >> >> >> > > > R> Detalii despre listele noastre de mail: >> DU> http://www.lug.ro/ >> >> >> >> > > > >> >> >> >> > > >> >> >> >> > >> >> >> >> >> >> >> >> >> >> R>>>>> ------------------------------------------------------------------ DU> - >> DU> ----- >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > R> ----- Original Message ----- >> >> >> >> > > > R> From: "Knight" <[EMAIL PROTECTED]> >> >> >> >> > > > R> To: "Radu" <[EMAIL PROTECTED]> >> >> >> >> > > > R> Sent: Tuesday, October 14, 2003 7:55 AM >> >> >> >> > > > R> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> Radu, >> >> >> >> > > > >> >> >> >> >> > > > >> tu ai citit macar ce am scris? >> >> >> >> > > > >> omu care a postat threadul a cerut help pentru DU> ipchains >> >> >> >> > > > >> asa ca nu sari la mine >> >> >> >> > > > >> chestie de alfabet pe dracu, chestie de urmarit un >> DU> thread si >> >> IA> de >> >> >> >> > > > >> deschis ochii larg :)) >> >> >> >> > > > >> >> >> >> >> > > > >> Wednesday, October 15, 2003, 1:48:55 AM, you wrote: >> >> >> >> > > > >> >> >> >> >> > > > >> R> Mosule, IPTABLES. Nu ipchains. >> >> >> >> > > > >> R> Chestie de alfabet. >> >> >> >> > > > >> R> ----- Original Message ----- >> >> >> >> > > > >> R> From: "Knight" <[EMAIL PROTECTED]> >> >> >> >> > > > >> R> To: "Dekxter X." <[EMAIL PROTECTED]> >> >> >> >> > > > >> R> Sent: Tuesday, October 14, 2003 7:01 AM >> >> >> >> > > > >> R> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> Dekxter, >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> da dar omu a specificat ca vrea ipchains >> >> >> >> > > > >> >> :((((((( >> >> >> >> > > > >> >> cu -y cred ca era in ipchains :)) in loc de --syn >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> Monday, October 13, 2003, 6:32:40 PM, you wrote: >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> va trebui sa modifici FORWARD cu: >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> iptables --policy FORWARD DROP >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p >> DU> tcp --dport >> >> >> >> > 5 --jump >> >> >> >> > > > R> ACCEPT >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p >> DU> tcp --dport >> >> >> >> > 0 --jump >> >> >> >> > > > R> ACCEPT >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p >> DU> tcp --dport >> >> >> >> > 110 --jump >> >> >> >> > > > R> ACCEPT >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p >> DU> tcp --dport >> >> >> >> > 143 --jump >> >> >> >> > > > R> ACCEPT >> >> >> >> > > > >> >> DX> # aceste 4 reguli sunt pentru acces la orice >> DU> adresa >> >> IA> pentru >> >> >> >> > > > >> >> DX> # mail prin POP3, IMAP, send shi www >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d >> DU> 192.168.0.0/24 --syn --jump DROP >> >> >> >> > > > >> >> DX> iptables -A FORWARD -s >> DU> 192.168.0.0/24 --syn --jump DROP >> >> >> >> > > > >> >> DX> # aceste 2 reguli resping orice tentativa de >> DU> initiere a >> >> >> IA> unei >> >> >> >> > > > R> conectari >> >> >> >> > > > >> >> DX> # in reteaua locala sau de la reteaua locala >> DU> spre >> >> IA> internet >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p >> DU> tcp --jump >> >> IA> ACCEPT >> >> >> >> > > > >> >> DX> # acesta regula accepta orice alt tip de >> DU> conexiune tcp >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> # man iptables >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> [!] --syn >> >> >> >> > > > >> >> DX> Only match TCP packets with the SYN bit DU> set >> DU> and >> >> IA> the >> >> >> IA> ACK >> >> >> >> > and >> >> >> >> > > > R> RST >> >> >> >> > > > >> >> DX> bits cleared. Such packets are used to >> DU> request TCP >> >> >> >> > > connection >> >> >> >> > > > >> >> DX> initiation; for example, blocking such DU> packets >> DU> coming >> >> IA> in >> >> >> IA> an >> >> >> >> > > > R> interface >> >> >> >> > > > >> >> DX> will prevent incoming TCP connections, but >> DU> outgoing TCP >> >> >> >> > > connections >> >> >> >> > > > >> R> will >> >> >> >> > > > >> >> DX> be unaffected. >> >> >> >> > > > >> >> DX> It is equivalent to --tcp-flags SYN,RST,ACK DU> SYN. >> DU> If the >> >> >> IA> "!" >> >> >> >> > flag >> >> >> >> > > > >> >> DX> precedes the "--syn", the sense of the option DU> is >> >> IA> inverted. >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> ps: daca greshesc va rog sa ma corectatzi ... >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> DX> Liviu wrote: >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> >> Salut, >> >> >> >> > > > >> >> >> Ideea mea ar fi ca lumea din reteua DU> locala >> DU> sa nu >> >> IA> poata >> >> >> >> > iesi >> >> >> >> > > > R> decat >> >> >> >> > > > >> R> pe >> >> >> >> > > > >> >> >> web si pe mail. >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> -- >> >> >> >> > > > >> >> Best regards, >> >> >> >> > > > >> >> Knight >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> This message was brought to you by the numbers 0 DU> and >> DU> 1. >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> --- >> >> >> >> > > > >> >> Detalii despre listele noastre de mail: >> DU> http://www.lug.ro/ >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> R> --- >> >> >> >> > > > >> R> Detalii despre listele noastre de mail: >> DU> http://www.lug.ro/ >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> -- >> >> >> >> > > > >> Best regards, >> >> >> >> > > > >> Knight >> >> >> >> > > > >> >> >> >> >> > > > >> This message was brought to you by the numbers 0 and DU> 1. >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> --- >> >> >> >> > > > >> Detalii despre listele noastre de mail: >> DU> http://www.lug.ro/ >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > R> --- >> >> >> >> > > > R> Detalii despre listele noastre de mail: >> DU> http://www.lug.ro/ >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > -- >> >> >> >> > > > Best regards, >> >> >> >> > > > Knight >> >> >> >> > > > >> >> >> >> > > > This message was brought to you by the numbers 0 and 1. >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > --- >> >> >> >> > > > Detalii despre listele noastre de mail: DU> http://www.lug.ro/ >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > --- >> >> >> >> > > Detalii despre listele noastre de mail: DU> http://www.lug.ro/ >> >> >> >> > > >> >> >> >> > >> >> >> >> > >> >> >> >> > --- >> >> >> >> > Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> > >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> --- >> >> >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> >> >> >> >> >> >> >> >> >> IA> --- >> >> >> IA> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> Best regards, >> >> >> Knight >> >> >> >> >> >> This message was brought to you by the numbers 0 and 1. >> >> >> >> >> >> >> >> >> --- >> >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> >> >> >> >> >> IA> --- >> >> IA> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> >> >> >> >> -- >> >> Best regards, >> >> Knight >> >> >> >> This message was brought to you by the numbers 0 and 1. >> >> >> >> >> >> --- >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> >> >> >> >> DU> --- >> DU> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> -- >> Best regards, >> Knight >> >> This message was brought to you by the numbers 0 and 1. >> >> >> --- >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> DU> --- DU> Detalii despre listele noastre de mail: http://www.lug.ro/ -- Best regards, Knight This message was brought to you by the numbers 0 and 1. --- Detalii despre listele noastre de mail: http://www.lug.ro/
