<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="OPENWEBMAIL" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<font size="2"><b>---------- Original Message
-----------</b>
<br />
From: "Dr. Blunt" <cleardata@earthlink.net>
<br />
To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it>
<br />
Sent: Wed, 27 Feb 2013 08:30:39 -0800
<br />
Subject: [BlueOnyx:12314] Re: Server hacked?
<br />
<br />> Sometime back Gerald sent me this setup for my iptables -- It has
helped
<br />>
block plenty of junk at the BO.
<br />>
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW
<br />>
-m recent --set --name SSH2
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW
<br />>
-m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j LOG
<br />>
--log-level 4 --log-prefix 'Block SSH 20200 Attack'
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW
<br />>
-m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j DROP
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
<br />>
recent --set --name SSH
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
<br />>
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j LOG
<br />>
--log-level 4 --log-prefix 'Block SSH 22 Attack'
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
<br />>
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m
<br />>
recent --set --name Dovecot
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m
<br />>
recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j LOG
<br />>
--log-level 4 --log-prefix 'Block Dovecot Attack'
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m
<br />>
recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j DROP
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m
<br />>
recent --set --name SMTP
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m
<br />>
recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j LOG
<br />>
--log-level 4 --log-prefix 'Block SMTP Attack'
<br />>
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m
<br />>
recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP
<br />>
<br />>
At 08:13 AM 2/27/2013, you wrote:
<br />>
> > and added them to deny.hosts.rules in apf but when I restart sendmail,
<br />>
> there they are.
<br />
<br />
<br /><font size="2"><b>I see a bunch of logging, naming, and blocking. But<font size="2"> it <font size="2">also shows TCP Port 22 (SSH) blocked completely - and a new service (SSH2) running and allowed on TCP Port 20200.
<br />
<br />Problem<font size="2"> with that - you've first <font size="2">got to chang<font size="2">e your SSH to listen on TCP Port 20200. I<font size="2">f not <font size="2">-- the above set of <font size="2">rules w<font size="2">ill only block <font size="2">SSH access to the server and you've got no way in<font size="2">!
<br />
<br /><font size="2">The change require<font size="2">d</font> is the "<font size="2">Port" entry in the /etc/ssh/sshd<font size="2">_config file. And don't forget to restart <font size="2">SSH after the change with "service sshd restart".
<br />
<br />
<br />
<br /><font size="2">C<font size="2">huck
<br />
<br />
<br /></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></b></font><b></b>
</font>
</BODY>
</HTML>