[Mageia-discuss] Setting up a port forward

Sat Sep 1 20:36:52 CEST 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/12 10:10, Anne Wilson wrote:
> On 31/08/12 23:16, Deri James wrote:
>> On Friday 31 Aug 2012 22:42:26 Thomas Backlund wrote:
>>> Why not simply have sshd listen on 2 ports and skip need for
>>> port forwarding?
>>> 
> Thanks, Thomas and Deri.
>>> 
>>> Just uncomment the "Port 22" line in /etc/ssh/sshd_config and 
>>> add a second line with the second port
>>> 
>>> so it would look like
>>> 
>>> Port 22 Port 5122
>>> 
>>> and restart sshd
>>> 
>>> with this all access that expects port 22 will continue to
>>> work, and you can also access it through the new 5122 port.
>>> 
>>> Simple and effective, and no portforwarding needed.
>>> 
> Done
> 
>> And add 5122/tcp to the "Advanced" tab in MCC -> Security -> 
>> Personal Firewall (if you are using a personal firewall).
> 
> Also done
> 
>> If the server is accessible from the internet I would recommend 
>> some further changes to sshd_conf. This is what I use (assuming 
>> this is a server for personal use, not with hundreds of users 
>> connecting):-
> 
>> =================================================
> 
>> LoginGraceTime 120
> 
> Was 2m - I assume that is minutes and you gave seconds.  Changed
> it anyway
> 
>> PermitRootLogin no
> 
>> TCPKeepAlive yes
> 
> Both already set
> 
>> AllowUsers ->your user name here<- MaxStartups 2:90:4
> 
>> ==================================================
> 
>> The "MaxStartups" parameter deters the script kiddies trying to 
>> guess the password:-
> 
> 
>> MaxStartups ========
> 
>> Specifies the maximum number of concurrent unauthenticated 
>> connections to the SSH daemon. Additional connections will be 
>> dropped until authentication succeeds or the LoginGraceTime 
>> expires for a connection. The default is 10.
> 
>> Alternatively, random early drop can be enabled by specifying the
>>  three colon separated values “start:rate:full” (e.g.
>> "10:30:60"). sshd(8) will refuse connection attempts with a
>> probability of “rate/100” (30%) if there are currently “start”
>> (10) unauthenticated connections. The probability increases
>> linearly and all connection attempts are refused if the number of
>>  unauthenticated connections reaches “full” (60).
> 
> Done.  Also fail2ban is installed, which should give another layer 
> of protection.  I've used that for ~3 years, and in that time only 
> seen 3-4 times when it had to work, but work it did :-)
> 
> Unfortunately, after adding the IMAP high port to shorewall and 
> telling dovecot to listen to that port, I still can't get my
> Roaming mail profile to work.  I'll have to explore more later
> today.
> 
> Thanks for the help so far.
> 
Just to confirm - the IMAP forwarding still isn't working, so I have to
explore further on that but ssh is working.

Anne
- -- 
Need KDE help? Try
http://userbase.kde.org or
http://forum.kde.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlBCVboACgkQj93fyh4cnBdWygCfe8BAki5aJnUk4RtqNHTrZvFH
N5wAnR/lxpt0xKsX2+kbZ+ITtcbwwdsT
=Nv9n
-----END PGP SIGNATURE-----