Opened 6 years ago

Closed 6 years ago

#574 closed incident (fixed)

watertoren3 ssh spam

Reported by: rick Owned by: rick
Keywords: Cc:
Location: Generiek

Description

Hoop gezeik in auth log waardoor /var volloopt.

Quick om SSH op port 1022 te laten binnenkomen ipv 22.

HybridWatertoren3# diff -u /conf/base/etc/pf.hybrid.conf /etc/pf.hybrid.conf
--- /conf/base/etc/pf.hybrid.conf	2012-05-24 18:19:22.000000000 +0000
+++ /etc/pf.hybrid.conf	2014-05-16 19:53:36.000000000 +0000
@@ -17,7 +17,7 @@
 #
 
 # Standard port allow listings
-allow_ext_in_tcp="ssh, domain, openvpn"
+allow_ext_in_tcp="1022, domain, openvpn"
 allow_ext_in_udp="domain, snmp, openvpn"
 
 allow_ext_out_tcp = "domain, http, https, openvpn"
@@ -59,6 +59,9 @@
 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
 
+# Quick to avoid ssh spamming
+rdr on $ext_if proto tcp from any to $ext_if port 1022 -> $ext_if port 22
+
 # Load autogenerated entries, like the remote mappings (7)
 include "/etc/pf.hybrid.conf.local"

Change History (2)

comment:1 Changed 6 years ago by ed

Vandaag was /var weer overgelopen door een overvolle /var/log/auth.log.
Zag dat deze quick diff voor de firewall nog niet was uitgerold op deze node.

Ik ben een voorstander om dit te doen om zo weg te gaan van port 22.

Iemand bezwaar om dit door te zetten en uit te rollen?

comment:2 Changed 6 years ago by ed

Resolution: fixed
Status: newclosed

SSh poorten zijn verplaatst naar 1022

Note: See TracTickets for help on using tickets.