Opened 11 years ago
Closed 10 years ago
#574 closed incident (fixed)
watertoren3 ssh spam
| Reported by: | rick | Owned by: | rick |
|---|---|---|---|
| Keywords: | Cc: | ||
| Location: | Generiek |
Description
Hoop gezeik in auth log waardoor /var volloopt.
Quick om SSH op port 1022 te laten binnenkomen ipv 22.
HybridWatertoren3# diff -u /conf/base/etc/pf.hybrid.conf /etc/pf.hybrid.conf
--- /conf/base/etc/pf.hybrid.conf 2012-05-24 18:19:22.000000000 +0000
+++ /etc/pf.hybrid.conf 2014-05-16 19:53:36.000000000 +0000
@@ -17,7 +17,7 @@
#
# Standard port allow listings
-allow_ext_in_tcp="ssh, domain, openvpn"
+allow_ext_in_tcp="1022, domain, openvpn"
allow_ext_in_udp="domain, snmp, openvpn"
allow_ext_out_tcp = "domain, http, https, openvpn"
@@ -59,6 +59,9 @@
no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
+# Quick to avoid ssh spamming
+rdr on $ext_if proto tcp from any to $ext_if port 1022 -> $ext_if port 22
+
# Load autogenerated entries, like the remote mappings (7)
include "/etc/pf.hybrid.conf.local"
Change History (2)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
SSh poorten zijn verplaatst naar 1022
Note:
See TracTickets
for help on using tickets.
Vandaag was /var weer overgelopen door een overvolle /var/log/auth.log.
Zag dat deze quick diff voor de firewall nog niet was uitgerold op deze node.
Ik ben een voorstander om dit te doen om zo weg te gaan van port 22.
Iemand bezwaar om dit door te zetten en uit te rollen?