[Mageia-discuss] Setting up a port forward
Anne Wilson
annew at kde.org
Sat Sep 1 11:10:48 CEST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 31/08/12 23:16, Deri James wrote:
> On Friday 31 Aug 2012 22:42:26 Thomas Backlund wrote:
>> Why not simply have sshd listen on 2 ports and skip need for
>> port forwarding?
>>
Thanks, Thomas and Deri.
>>
>> Just uncomment the "Port 22" line in /etc/ssh/sshd_config and add
>> a second line with the second port
>>
>> so it would look like
>>
>> Port 22 Port 5122
>>
>> and restart sshd
>>
>> with this all access that expects port 22 will continue to work,
>> and you can also access it through the new 5122 port.
>>
>> Simple and effective, and no portforwarding needed.
>>
Done
> And add 5122/tcp to the "Advanced" tab in MCC -> Security ->
> Personal Firewall (if you are using a personal firewall).
>
Also done
> If the server is accessible from the internet I would recommend
> some further changes to sshd_conf. This is what I use (assuming
> this is a server for personal use, not with hundreds of users
> connecting):-
>
> =================================================
>
> LoginGraceTime 120
Was 2m - I assume that is minutes and you gave seconds. Changed it anyway
> PermitRootLogin no
>
> TCPKeepAlive yes
>
Both already set
> AllowUsers ->your user name here<- MaxStartups 2:90:4
>
> ==================================================
>
> The "MaxStartups" parameter deters the script kiddies trying to
> guess the password:-
>
>
> MaxStartups ========
>
> Specifies the maximum number of concurrent unauthenticated
> connections to the SSH daemon. Additional connections will be
> dropped until authentication succeeds or the LoginGraceTime expires
> for a connection. The default is 10.
>
> Alternatively, random early drop can be enabled by specifying the
> three colon separated values “start:rate:full” (e.g. "10:30:60").
> sshd(8) will refuse connection attempts with a probability of
> “rate/100” (30%) if there are currently “start” (10)
> unauthenticated connections. The probability increases linearly and
> all connection attempts are refused if the number of
> unauthenticated connections reaches “full” (60).
>
Done. Also fail2ban is installed, which should give another layer of
protection. I've used that for ~3 years, and in that time only seen
3-4 times when it had to work, but work it did :-)
Unfortunately, after adding the IMAP high port to shorewall and
telling dovecot to listen to that port, I still can't get my Roaming
mail profile to work. I'll have to explore more later today.
Thanks for the help so far.
Anne
- --
Need KDE help? Try
http://userbase.kde.org or
http://forum.kde.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlBB0Q8ACgkQj93fyh4cnBcQigCfRwIxl7J7KMPepl+v4uSyW8HU
Ge4An2h/UIKMlrnC/f7b8j0dlyBdT+xE
=TKtn
-----END PGP SIGNATURE-----
More information about the Mageia-discuss
mailing list