[BlueOnyx:12316] Re: Server hacked?
Chuck Tetlow
chuck at tetlow.net
Wed Feb 27 11:48:54 -05 2013
---------- Original Message -----------
From: "Dr. Blunt" <cleardata at earthlink.net>
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Sent: Wed, 27 Feb 2013 08:30:39 -0800
Subject: [BlueOnyx:12314] Re: Server hacked?
> Sometime back Gerald sent me this setup for my iptables -- It has helped
> block plenty of junk at the BO.
>
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW
> -m recent --set --name SSH2
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW
> -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j LOG
> --log-level 4 --log-prefix 'Block SSH 20200 Attack'
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW
> -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j DROP
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
> recent --set --name SSH
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j LOG
> --log-level 4 --log-prefix 'Block SSH 22 Attack'
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m
> recent --set --name Dovecot
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j LOG
> --log-level 4 --log-prefix 'Block Dovecot Attack'
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j DROP
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m
> recent --set --name SMTP
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j LOG
> --log-level 4 --log-prefix 'Block SMTP Attack'
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP
>
> At 08:13 AM 2/27/2013, you wrote:
> > > and added them to deny.hosts.rules in apf but when I restart sendmail,
> > there they are.
I see a bunch of logging, naming, and blocking. But it also shows TCP Port 22 (SSH) blocked completely - and a new service (SSH2) running and allowed on TCP Port 20200.
Problem with that - you've first got to change your SSH to listen on TCP Port 20200. If not -- the above set of rules will only block SSH access to the server and you've got no way in!
The change required is the "Port" entry in the /etc/ssh/sshd_config file. And don't forget to restart SSH after the change with "service sshd restart".
Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130227/739f514b/attachment.html>
More information about the Blueonyx
mailing list