Re: [qmailtoaster] Q7
Correction, SMTP set to port 587, Auto On 4/6/2015 11:48 AM, Dave M wrote: Success After waiting for DNS propagation, I am now running one test domain, with 3 email accounts live on Centos7 Qmail-toaster standard install. I setup Outlook client,. using IMAP, port 993 , SSL, SMTP port 587, SSL So far no errors at all. Oh yes, firewall is now secured, Thanks Dave M thanks all, as I hadn't completed the install at that point, I also hadnt copied in my special firewall rules : ) Thanks for the reminders. My centos7 install will be live with one test domain tomorrow Cheers Dave M On Apr 3, 2015 4:53 PM, DNK d.k.emailli...@gmail.com mailto:d.k.emailli...@gmail.com wrote: I have a mgmt machine to connect to all my servers. Then I access that mgmt machine VIA SSH W/ Keys and a passphrase. 2 factor authentication is going to be layered on as well. -- DNK On April 3, 2015 at 3:08:50 PM, Cecil Yother, Jr. (c...@yother.com mailto:c...@yother.com) wrote: yet another tip. Isolate your ip in iptables like so -A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT using non-standard port replacing the private ip with your public IP address. The only problem with this approach is accessing it from the road where your IP is changing. On 04/03/2015 11:41 AM, Hasan Akgöz wrote: second tip ; It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by placing the following inside /etc/hosts.allow: /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0 http://1.2.3.0/255.255.255.0( 1.2.3.0 secure network ) Then disallow all further access by placing this in /etc/hosts.deny: /etc/hosts.deny sshd: ALL third tip : Change the absolute ssh port. For example 2122 . 2015-04-03 17:01 GMT+03:00 Dan McAllister q...@it4soho.com mailto:q...@it4soho.com: On 4/2/2015 5:20 PM, Dave M wrote: This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: *There were 249 failed login attempts since the last successful login.* Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : ) Just a tip -- Instead of leaving your SSH port open, put a connection limit on it: The following entries are from an iptables config file: -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP You can fail your login attempt twice per minute, then you're dropped for the remainder of the minute. In most cases, they fail the login twice in like a 10-second period, fail a few more times (with unsuccessful connections this time) and finally quit -- blissfully unaware that they could try 2 more times in 60 seconds. The point is, if you're just fat-fingering your SSH password, no worries - wait 60 seconds But if you're trying a brute-force attack, good luck -- instead of hundreds of tries per minute, you now get just 2... Needless to say, you can adjust to your own recipe... Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! --
Re: [qmailtoaster] Q7
Success After waiting for DNS propagation, I am now running one test domain, with 3 email accounts live on Centos7 Qmail-toaster standard install. I setup Outlook client,. using IMAP, port 993 , SSL, SMTP port 587, SSL So far no errors at all. Oh yes, firewall is now secured, Thanks Dave M thanks all, as I hadn't completed the install at that point, I also hadnt copied in my special firewall rules : ) Thanks for the reminders. My centos7 install will be live with one test domain tomorrow Cheers Dave M On Apr 3, 2015 4:53 PM, DNK d.k.emailli...@gmail.com mailto:d.k.emailli...@gmail.com wrote: I have a mgmt machine to connect to all my servers. Then I access that mgmt machine VIA SSH W/ Keys and a passphrase. 2 factor authentication is going to be layered on as well. -- DNK On April 3, 2015 at 3:08:50 PM, Cecil Yother, Jr. (c...@yother.com mailto:c...@yother.com) wrote: yet another tip. Isolate your ip in iptables like so -A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT using non-standard port replacing the private ip with your public IP address. The only problem with this approach is accessing it from the road where your IP is changing. On 04/03/2015 11:41 AM, Hasan Akgöz wrote: second tip ; It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by placing the following inside /etc/hosts.allow: /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0 http://1.2.3.0/255.255.255.0 ( 1.2.3.0 secure network ) Then disallow all further access by placing this in /etc/hosts.deny: /etc/hosts.deny sshd: ALL third tip : Change the absolute ssh port. For example 2122 . 2015-04-03 17:01 GMT+03:00 Dan McAllister q...@it4soho.com mailto:q...@it4soho.com: On 4/2/2015 5:20 PM, Dave M wrote: This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: *There were 249 failed login attempts since the last successful login.* Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : ) Just a tip -- Instead of leaving your SSH port open, put a connection limit on it: The following entries are from an iptables config file: -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP You can fail your login attempt twice per minute, then you're dropped for the remainder of the minute. In most cases, they fail the login twice in like a 10-second period, fail a few more times (with unsuccessful connections this time) and finally quit -- blissfully unaware that they could try 2 more times in 60 seconds. The point is, if you're just fat-fingering your SSH password, no worries - wait 60 seconds But if you're trying a brute-force attack, good luck -- instead of hundreds of tries per minute, you now get just 2... Needless to say, you can adjust to your own recipe... Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! --
Re: [qmailtoaster] Q7
thanks all, as I hadn't completed the install at that point, I also hadnt copied in my special firewall rules : ) Thanks for the reminders. My centos7 install will be live with one test domain tomorrow Cheers Dave M On Apr 3, 2015 4:53 PM, DNK d.k.emailli...@gmail.com wrote: I have a mgmt machine to connect to all my servers. Then I access that mgmt machine VIA SSH W/ Keys and a passphrase. 2 factor authentication is going to be layered on as well. -- DNK On April 3, 2015 at 3:08:50 PM, Cecil Yother, Jr. (c...@yother.com) wrote: yet another tip. Isolate your ip in iptables like so -A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT using non-standard port replacing the private ip with your public IP address. The only problem with this approach is accessing it from the road where your IP is changing. On 04/03/2015 11:41 AM, Hasan Akgöz wrote: second tip ; It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by placing the following inside /etc/hosts.allow: /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0( 1.2.3.0 secure network ) Then disallow all further access by placing this in /etc/hosts.deny: /etc/hosts.deny sshd: ALL third tip : Change the absolute ssh port. For example 2122 . 2015-04-03 17:01 GMT+03:00 Dan McAllister q...@it4soho.com: On 4/2/2015 5:20 PM, Dave M wrote: This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: *There were 249 failed login attempts since the last successful login.* Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : ) Just a tip -- Instead of leaving your SSH port open, put a connection limit on it: The following entries are from an iptables config file: -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP You can fail your login attempt twice per minute, then you're dropped for the remainder of the minute. In most cases, they fail the login twice in like a 10-second period, fail a few more times (with unsuccessful connections this time) and finally quit -- blissfully unaware that they could try 2 more times in 60 seconds. The point is, if you're just fat-fingering your SSH password, no worries - wait 60 seconds But if you're trying a brute-force attack, good luck -- instead of hundreds of tries per minute, you now get just 2... Needless to say, you can adjust to your own recipe... Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! -- part3.03020200.06070905@yother Description: Binary data
Re: [qmailtoaster] Q7
2015-04-03 0:20 GMT+03:00 Dave M sysad...@tricubemedia.com: Up pops the security message: There are many people bored :).
Re: [qmailtoaster] Q7
Third tip: run openVPN on your server and disallow public access to all non VPN IPs to all ports and open only those to public you really need. Keep OpenVPN updated to avoid stuff like the past heart bleed attack and rotate certificates. Connect to VPN to access all privileged ports that are only available through VPN. Cheers, Sebastian On 03 Apr 2015, at 11:41, Hasan Akgöz hasanak...@mail.ru wrote: second tip ; It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by placing the following inside /etc/hosts.allow: /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0( 1.2.3.0 secure network ) Then disallow all further access by placing this in /etc/hosts.deny: /etc/hosts.deny sshd: ALL third tip : Change the absolute ssh port. For example 2122 . 2015-04-03 17:01 GMT+03:00 Dan McAllister q...@it4soho.com: On 4/2/2015 5:20 PM, Dave M wrote: This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: There were 249 failed login attempts since the last successful login. Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : ) Just a tip -- Instead of leaving your SSH port open, put a connection limit on it: The following entries are from an iptables config file: -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP You can fail your login attempt twice per minute, then you're dropped for the remainder of the minute. In most cases, they fail the login twice in like a 10-second period, fail a few more times (with unsuccessful connections this time) and finally quit -- blissfully unaware that they could try 2 more times in 60 seconds. The point is, if you're just fat-fingering your SSH password, no worries - wait 60 seconds But if you're trying a brute-force attack, good luck -- instead of hundreds of tries per minute, you now get just 2... Needless to say, you can adjust to your own recipe... Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Q7
yet another tip. Isolate your ip in iptables like so -A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT using non-standard port replacing the private ip with your public IP address. The only problem with this approach is accessing it from the road where your IP is changing. On 04/03/2015 11:41 AM, Hasan Akgöz wrote: second tip ; It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by placing the following inside /etc/hosts.allow: /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0 http://1.2.3.0/255.255.255.0( 1.2.3.0 secure network ) Then disallow all further access by placing this in /etc/hosts.deny: /etc/hosts.deny sshd: ALL third tip : Change the absolute ssh port. For example 2122 . 2015-04-03 17:01 GMT+03:00 Dan McAllister q...@it4soho.com mailto:q...@it4soho.com: On 4/2/2015 5:20 PM, Dave M wrote: This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: *There were 249 failed login attempts since the last successful login.* Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : ) Just a tip -- Instead of leaving your SSH port open, put a connection limit on it: The following entries are from an iptables config file: -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP You can fail your login attempt twice per minute, then you're dropped for the remainder of the minute. In most cases, they fail the login twice in like a 10-second period, fail a few more times (with unsuccessful connections this time) and finally quit -- blissfully unaware that they could try 2 more times in 60 seconds. The point is, if you're just fat-fingering your SSH password, no worries - wait 60 seconds But if you're trying a brute-force attack, good luck -- instead of hundreds of tries per minute, you now get just 2... Needless to say, you can adjust to your own recipe... Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! --
Re: [qmailtoaster] Q7
I have a mgmt machine to connect to all my servers. Then I access that mgmt machine VIA SSH W/ Keys and a passphrase. 2 factor authentication is going to be layered on as well. -- DNK On April 3, 2015 at 3:08:50 PM, Cecil Yother, Jr. (c...@yother.com) wrote: yet another tip. Isolate your ip in iptables like so -A INPUT -p tcp -m tcp -s 192.168.0.1 --dport 5150 -j ACCEPT using non-standard port replacing the private ip with your public IP address. The only problem with this approach is accessing it from the road where your IP is changing. On 04/03/2015 11:41 AM, Hasan Akgöz wrote: second tip ; It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . Firstly allow access by placing the following inside /etc/hosts.allow: /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0 ( 1.2.3.0 secure network ) Then disallow all further access by placing this in /etc/hosts.deny: /etc/hosts.deny sshd: ALL third tip : Change the absolute ssh port. For example 2122 . 2015-04-03 17:01 GMT+03:00 Dan McAllister q...@it4soho.com: On 4/2/2015 5:20 PM, Dave M wrote: This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: There were 249 failed login attempts since the last successful login. Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : ) Just a tip -- Instead of leaving your SSH port open, put a connection limit on it: The following entries are from an iptables config file: -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP You can fail your login attempt twice per minute, then you're dropped for the remainder of the minute. In most cases, they fail the login twice in like a 10-second period, fail a few more times (with unsuccessful connections this time) and finally quit -- blissfully unaware that they could try 2 more times in 60 seconds. The point is, if you're just fat-fingering your SSH password, no worries - wait 60 seconds But if you're trying a brute-force attack, good luck -- instead of hundreds of tries per minute, you now get just 2... Needless to say, you can adjust to your own recipe... Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! --
Re: [qmailtoaster] Q7
On 4/2/2015 5:20 PM, Dave M wrote: This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: *There were 249 failed login attempts since the last successful login.* Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : ) Just a tip -- Instead of leaving your SSH port open, put a connection limit on it: The following entries are from an iptables config file: -A INPUT -p tcp --dport 22 -m limit --limit 2/minute -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP You can fail your login attempt twice per minute, then you're dropped for the remainder of the minute. In most cases, they fail the login twice in like a 10-second period, fail a few more times (with unsuccessful connections this time) and finally quit -- blissfully unaware that they could try 2 more times in 60 seconds. The point is, if you're just fat-fingering your SSH password, no worries - wait 60 seconds But if you're trying a brute-force attack, good luck -- instead of hundreds of tries per minute, you now get just 2... Needless to say, you can adjust to your own recipe... Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] Q7
This should make you smile I have just this minute finished an install of Centos7 to prepare for the qmail-toaster install. After the first update , and reboot, I logged in via ssh Up pops the security message: *There were 249 failed login attempts since the last successful login.* Thankfully the default firewall took care of them Just be careful doing installs with live external IP, and disabling the firewall until you are done Made me laugh : )
