opening port for SSH

opening port for SSH

[Edwin Kapauni]

 From the recent thread 
<http://www.spinics.net/lists/netfilter/msg33021.html> I have adopted 
this ruleset for a standalone computer.

Now, I need some help teaching me how to open ports for SSH and VoIP.
That shouldn't be too difficult, right?

######################### start ###########################


iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z


iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset


############################# end #################################

Thanks for any help.

Re: opening port for SSH

[/dev/rob0]

On Thursday 2005-December-08 07:43, Edwin Kapauni wrote:
> Now, I need some help teaching me how to open ports for SSH and VoIP.
> That shouldn't be too difficult, right?

SSH, simple. VOIP, depends on what protocol[s] you mean, but no, in 
general it should not be difficult.

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Ensure that your users have strong passwords and/or disable password 
authentication altogether, because many worms/bots (I think run by and 
for phishers) are probing the Internet for openings in TCP port 22 and 
attempting to login using common usernames and passwords.

For any well-configured host these attacks are nothing more than an 
annoyance, but you might wish to do some kind of blocking to limit the 
login attempts, if for no other reason than to reduce the noise in 
logging. There have been "-m recent" and "-m limit" ideas posted here 
to do that. If you have the "recent" match extension, that is probably 
better overall, but the "limit" approach is good enough for me.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: opening port for SSH

[Georgi Alexandrov]

Edwin Kapauni wrote:

> From the recent thread 
> <http://www.spinics.net/lists/netfilter/msg33021.html> I have adopted 
> this ruleset for a standalone computer.
>
> Now, I need some help teaching me how to open ports for SSH and VoIP.
> That shouldn't be too difficult, right?
>
> ######################### start ###########################
>
>
> iptables -F
> iptables -X
> iptables -Z
> iptables -t nat -F
> iptables -t nat -X
> iptables -t nat -Z
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -t mangle -Z
>
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
> iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with 
> tcp-reset
>
>
> ############################# end #################################
>
> Thanks for any help.
>
>
>
If you are running your ssh server on port 22, you should add the 
following line to the script:
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT

But i highy recommend bindind the ssh server to a higher port.


regards,
Georgi Alexandrov

Re: opening port for SSH

[myhapwcforever]

And use the public-key ;)
----- Original Message ----- 
From: "Georgi Alexandrov" <georgi.alexandrov@gmail.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, December 09, 2005 10:23 PM
Subject: Re: opening port for SSH


> Edwin Kapauni wrote:
> 
> > From the recent thread 
> > <http://www.spinics.net/lists/netfilter/msg33021.html> I have adopted 
> > this ruleset for a standalone computer.
> >
> > Now, I need some help teaching me how to open ports for SSH and VoIP.
> > That shouldn't be too difficult, right?
> >
> > ######################### start ###########################
> >
> >
> > iptables -F
> > iptables -X
> > iptables -Z
> > iptables -t nat -F
> > iptables -t nat -X
> > iptables -t nat -Z
> > iptables -t mangle -F
> > iptables -t mangle -X
> > iptables -t mangle -Z
> >
> >
> > iptables -P INPUT DROP
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT ACCEPT
> >
> >
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> > iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> > iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
> > iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with 
> > tcp-reset
> >
> >
> > ############################# end #################################
> >
> > Thanks for any help.
> >
> >
> >
> If you are running your ssh server on port 22, you should add the 
> following line to the script:
> iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
> 
> But i highy recommend bindind the ssh server to a higher port.
> 
> 
> regards,
> Georgi Alexandrov
> 

Re: opening port for SSH

[Georgi Alexandrov]

myhapwcforever wrote:

>And use the public-key ;)
>  
>
And disable version 1 of the protocol.
And disable root logins.
And use AllowGroups and/or AllowUsers in sshd_config.
And use RSA for generating the keys.


P.S.
You mean pub/priv key pair, right?

regards,
Georgi Alexandrov

Re: opening port for SSH

[Edwin Kapauni]

Georgi Alexandrov wrote:
> myhapwcforever wrote:
> 
>> And use the public-key ;)
>>  
>>
> And disable version 1 of the protocol.
> And disable root logins.
> And use AllowGroups and/or AllowUsers in sshd_config.
> And use RSA for generating the keys.

Thanks Georgi, myhapwcforever and /dev/rob0 for your support.
I need to find some time to read and think about the SSH stuff before 
opening a port for it.

But some questions I have here:

What's the benefif of preferring
    either "--dport ssh"
    or     "--dport 22"?

And, what's the means for "bindind the ssh server to a higher port"?

RE: opening port for SSH

[Rob Sterenborg]

> But some questions I have here:
>
> What's the benefif of preferring
>     either "--dport ssh"
>     or     "--dport 22"?

It's the same. Look in /etc/services for service-names you can use.
You can use the notation that you prefer.

> And, what's the means for "bindind the ssh server to a higher port"?

A "higher port" means a portnumber somewhere above 1024.
Normally ssh binds to port 22/tcp (see above). In sshd_config you can
tell it to bind to 49152 or something.


Gr,
Rob

Re: opening port for SSH

[Bjørn Ruberg]

"Rob Sterenborg" <rob@sterenborg.info> writes:

> > And, what's the means for "bindind the ssh server to a higher port"?
> 
> A "higher port" means a portnumber somewhere above 1024.
> Normally ssh binds to port 22/tcp (see above). In sshd_config you can
> tell it to bind to 49152 or something.

The important thing to know about high and low ports is that on *nix
systems, only the root user may bind a service to ports below 1024,
while regular users can start any kind of service and making it
available through TCP or UDP ports above and including 1024.

Because you don't want to run the risk of your SSH server being
replaced by some shady regular-user process which will gladly pick up
your login credentials, the smart thing is to bind services like SSH
to ports below 1024.

-- 
Bjørn

Re: opening port for SSH

[Nick Drage]

On Wed, Dec 14, 2005 at 06:39:26 +0100, Bjørn Ruberg wrote:
> "Rob Sterenborg" <rob@sterenborg.info> writes:
> 
> > > And, what's the means for "bindind the ssh server to a higher
> > > port"?
> > 
> > A "higher port" means a portnumber somewhere above 1024.  Normally
> > ssh binds to port 22/tcp (see above). In sshd_config you can tell it
> > to bind to 49152 or something.
> 
> The important thing to know about high and low ports is that on *nix
> systems, only the root user may bind a service to ports below 1024,
> while regular users can start any kind of service and making it
> available through TCP or UDP ports above and including 1024.
> 
> Because you don't want to run the risk of your SSH server being
> replaced by some shady regular-user process which will gladly pick up
> your login credentials, the smart thing is to bind services like SSH
> to ports below 1024.

In order to bind to the correct port wouldn't the existing SSHD process
need to be killed?  Or at least redirected to listen on another port so
the "shady" process could act as an intermediary.  For that to happen
wouldn't the attacker need root privileges anyway?

-- 
morals are for little people
Jenny Solzer

Re: opening port for SSH

[Bjørn Ruberg]

Nick Drage wrote:
> On Wed, Dec 14, 2005 at 06:39:26 +0100, Bjørn Ruberg wrote:

[...]

> In order to bind to the correct port wouldn't the existing SSHD process
> need to be killed?  Or at least redirected to listen on another port so
> the "shady" process could act as an intermediary.  For that to happen
> wouldn't the attacker need root privileges anyway?

There are several ways to escalate privileges, most of which are not 
netfilter related.

The point I was trying to make is that important services should not be 
told to listen to ports above 1024.

-- 
Bjørn

Re: opening port for SSH

[Georgi Alexandrov]

Bjørn Ruberg wrote:

>Because you don't want to run the risk of your SSH server being
>replaced by some shady regular-user process which will gladly pick up
>your login credentials, the smart thing is to bind services like SSH
>to ports below 1024.
>  
>
Yes, it's better to run it < 1024 but different from 22 (default).
Actually the only plus for binding it != 22 is that you avoid filling
your log files with automatic scans/attacks.


regards,
Georgi Alexandrov

Re: opening port for SSH

[myhapwcforever]

Yeah.I mean the key pair.