How to hide known public services without affecting internal applications

It's only a matter of time when one gets annoyed by dictionary attacks to your server exposed on public network. Of course I can use fail2ban or denyhosts (as I used for long time) but it will costs some performance. Also I was noticed with logcheck and logwatch about every unsuccessfull auth attempts and to turn it off isn't the best idea.

So I was really pissed-off with this and I started with default port change to custom one for SSH daemon. To achieve real peace there is also need to handle mail subsystem in this way. While to change that port for SSH was simple and without noticable impact, default ports for IMAPS and SMTPS are used in my scenario by some internal applications and clients connecting via VPN.

I decided to use iptables to protect public ports of these services by obscurity.
See the rules bellow.
 
 # custom imaps/smtps
 iptables -A INPUT -i eth0 -p tcp -m mark --mark 0xE --dport 993 -j ACCEPT
 iptables -A INPUT -i eth0 -p tcp -m mark --mark 0xE --dport 465 -j ACCEPT
 
 # nat table
 iptables -t nat -A PREROUTING -p tcp -d 78.46.80.136 --dport 9993 -j MARK --set-mark 0xE
 iptables -t nat -A PREROUTING -p tcp -d 78.46.80.136 --dport 9993 -j REDIRECT --to-ports 993
 iptables -t nat -A PREROUTING -p tcp -d 78.46.80.136 --dport 4465 -j MARK --set-mark 0xE
 iptables -t nat -A PREROUTING -p tcp -d 78.46.80.136 --dport 4465 -j REDIRECT --to-ports 465
 
With these rules applied I use custom ports 9993 and 4465 to connect to IMAPS and SMTPS services. Connections to these ports are marked and redirected to default ports. Unmarked or direct connections to default ports are dropped (later in rules chain). Marked connection with mark 0xE are accepted.

All internal applications left untouched and working because those service daemons run on all interfaces with unchanged port numbers.
And I'm finaly enjoying peace :)

Note: port numbers shown above are examples except default imaps/smtps ports (993, 465). Public IP address is owned by this blog web server.

author: niekto@niekde.sk (Jaroslav Petráš)

date: Tue, 29 Jul 2014 14:08:00 +0200

link: CyberAsylum.eu/how-to-hide-known-public-services-without-affecting-internal-applications

SINT - iptables usage notes (my edition)

My notes about iptables usage. This article will grow in time.


DROP incommig connections to TCP port 80 and insert it as rule 6 to INPUT table
 
iptables -I INPUT 6 -p tcp -m tcp --dport 80 -j DROP
 
DROP rule 6 from INPUT table
 
iptables -D 6
 
DROP outgoing TCP connections with given flags to destination port 1521 if there are more than 5 connections
 
iptables -A INPUT -p tcp -m tcp --dport 1521 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 5 --connlimit-mask 0 -j DROP
 

author: niekto@niekde.sk (Jaroslav Petráš)

date: Wed, 16 Jul 2014 20:03:00 +0200

link: CyberAsylum.eu/sint-iptables-usage-notes

SINT - How to add rsyslogd socket to chroot

How to add rsyslogd socket to chroot for Apache & PHP syslog APP logging:
 
 $ModLoad imuxsock					# provides support for local system logging
 $AddUnixListenSocket /chroot/dev/log			# self-desc
 
 $umask 0000						# reset umask (it's set for everything bellow)
 $FileGroup web-admins					# self-desc
 $FileCreateMode 0440					# self-desc
 local1.*                /var/log/app-auth.log		# log all from this facility to that file
 local2.*                /var/log/app-messages.log	# log all from this facility to that file
 

author: niekto@niekde.sk (Jaroslav Petráš)

date: Thu, 10 Jul 2014 15:18:00 +0200

link: CyberAsylum.eu/sint-add-rsyslogd-socket-to-chroot

Some missing streams from 1st June '14

I'm sorry to tell you there are no stream dumps for Leporelo_FM and Signall_FM sessions live streamed at 01. June 2014 because of connectivity issues.

There is evidence this server was alive and properly working with established connections to the world.
Probably there was fault on the other side.

Please accept my apologies.

author: niekto@niekde.sk (Jaroslav Petráš)

date: Mon, 02 Jun 2014 11:32:00 +0200

link: CyberAsylum.eu/some-missing-streams-from-1st-june-14

On trip to Slavin

Some photos shot on trip to Slavin. Used camera was Canon EOS 20D with old manual M42 lenses.

Lens: Helios 44M-4 2/58
IMG_8759
filename IMG_8759.jpg
make Canon
model Canon EOS 20D
exposure time 1/400s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 15:51:25


Lens: Mirage Auto Reflex f=200mm 1:3.5
IMG_8776
filename IMG_8776.jpg
make Canon
model Canon EOS 20D
exposure time 1/4000s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 15:58:33


Lens: Helios 44M-4 2/58
IMG_8787
filename IMG_8787.jpg
make Canon
model Canon EOS 20D
exposure time 1/500s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 16:04:00


Lens: Helios 44M-4 2/58
IMG_8789
filename IMG_8789.jpg
make Canon
model Canon EOS 20D
exposure time 1/400s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 16:04:33


Lens: Helios 44M-4 2/58
IMG_8803
filename IMG_8803.jpg
make Canon
model Canon EOS 20D
exposure time 1/1250s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 16:15:55


Lens: Helios 44M-4 2/58
IMG_8811
filename IMG_8811.jpg
make Canon
model Canon EOS 20D
exposure time 1/6400s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 16:27:37


Lens: Helios 44M-4 2/58
IMG_8820
filename IMG_8820.jpg
make Canon
model Canon EOS 20D
exposure time 1/5000s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 16:34:23


Lens: Helios 44M-4 2/58
IMG_8834
filename IMG_8834.jpg
make Canon
model Canon EOS 20D
exposure time 1/1250s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 16:43:12


Lens: Helios 44M-4 2/58
IMG_8849
filename IMG_8849.jpg
make Canon
model Canon EOS 20D
exposure time 1/6400s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 16:49:59


Lens: Helios 44M-4 2/58
IMG_8852
filename IMG_8852.jpg
make Canon
model Canon EOS 20D
exposure time 1/5000s
aperture unknown
focal length unknown
ISO 100
software RawTherapee
datetime original 2014:03:29 16:50:31


author: niekto@niekde.sk (Jaroslav Petráš)

date: Sun, 30 Mar 2014 15:06:33 +0200

link: CyberAsylum.eu/photography-on-trip-to-slavin