Watching sunset from BraunsbergYesterday was good day for some chill at Braunsberg again with friends, some bottles of beer and with pipes full of tobacco.
SMC Pentax f1.7/50mm|
date: Sun, 23 Aug 2015 11:13:00 +0200
Braunsberg in Austria is a nice place to restNot far away from capital city of Slovakia is located the Braunsberg hill (346 m.a.s.l.) which is actually limestone massif. It's dominant object in the landscape and I have been always fascinated with it. Decision was made and I made a trip to that interesting place.
First time I walked there by tourist path. It's also accessible by car which is an advantage but also disadvantage because of high traffic of loud people. Thus relatively quiet place is disrrupted by guys reving engines on their motorcycles, loud music from parking cars (wtf?!), crying babies and etc. So it's more urban place and watch tower within palisade is pretty busy. On the other side I never saw anyone sitting directly on the limestone rocks and this place is that one where I really love to chill with my camera.
I have one more remark. I noticed some felt pen writings by Slovaks (I am also one so that's why I am even more disgusted) inside watch tower. Something like "We were here at
Now some photos from that place and arout it.
Tamron f2.5/24mm 01BB|
Hoya HMC Zoom f4/80-200mm
date: Thu, 20 Aug 2015 11:03:00 +0200
Summer night walkSo I decided to grab a tripod and take a walk with my camera.
Old town district in Bratislava offers so many interesting places which worth a shot.
Too bad I had to go to work in the morning.
SMC Pentax f1.7/50mm|
Tamron f2.5/24mm 01BB
date: Thu, 13 Aug 2015 16:05:00 +0200
How to hide known public services without affecting internal applicationsIt's only a matter of time when one gets annoyed by dictionary attacks to your server exposed on public network. Of course I can use fail2ban or denyhosts (as I used for long time) but it will costs some performance. Also I was noticed with logcheck and logwatch about every unsuccessfull auth attempts and to turn it off isn't the best idea.
So I was really pissed-off with this and I started with default port change to custom one for SSH daemon. To achieve real peace there is also need to handle mail subsystem in this way. While to change that port for SSH was simple and without noticable impact, default ports for IMAPS and SMTPS are used in my scenario by some internal applications and clients connecting via VPN.
I decided to use iptables to protect public ports of these services by obscurity.
See the rules bellow.
# custom imaps/smtps iptables -A INPUT -i eth0 -p tcp -m mark --mark 0xE --dport 993 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m mark --mark 0xE --dport 465 -j ACCEPT # nat table iptables -t nat -A PREROUTING -p tcp -d 220.127.116.11 --dport 9993 -j MARK --set-mark 0xE iptables -t nat -A PREROUTING -p tcp -d 18.104.22.168 --dport 9993 -j REDIRECT --to-ports 993 iptables -t nat -A PREROUTING -p tcp -d 22.214.171.124 --dport 4465 -j MARK --set-mark 0xE iptables -t nat -A PREROUTING -p tcp -d 126.96.36.199 --dport 4465 -j REDIRECT --to-ports 465With these rules applied I use custom ports 9993 and 4465 to connect to IMAPS and SMTPS services. Connections to these ports are marked and redirected to default ports. Unmarked or direct connections to default ports are dropped (later in rules chain). Marked connection with mark
All internal applications left untouched and working because those service daemons run on all interfaces with unchanged port numbers.
And I'm finaly enjoying peace :)
Note: port numbers shown above are examples except default imaps/smtps ports (993, 465). Public IP address is owned by this blog web server.
date: Tue, 29 Jul 2014 14:08:00 +0200
SINT - iptables usage notes (my edition)My notes about iptables usage. This article will grow in time.
DROP incommig connections to TCP port 80 and insert it as rule 6 to INPUT table
iptables -I INPUT 6 -p tcp -m tcp --dport 80 -j DROPDROP rule 6 from INPUT table
iptables -D 6DROP outgoing TCP connections with given flags to destination port 1521 if there are more than 5 connections
iptables -A INPUT -p tcp -m tcp --dport 1521 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 5 --connlimit-mask 0 -j DROP
date: Wed, 16 Jul 2014 20:03:00 +0200