How to hide known public services without affecting internal applications
It's only a matter of time when one gets annoyed by dictionary attacks to your server exposed on public network. Of course I can use fail2ban or denyhosts (as I used for long time) but it will costs some performance. Also I was noticed with logcheck and logwatch about every unsuccessfull auth attempts and to turn it off isn't the best idea.So I was really pissed-off with this and I started with default port change to custom one for SSH daemon. To achieve real peace there is also need to handle mail subsystem in this way. While to change that port for SSH was simple and without noticable impact, default ports for IMAPS and SMTPS are used in my scenario by some internal applications and clients connecting via VPN.
I decided to use iptables to protect public ports of these services by obscurity.
See the rules bellow.
# custom imaps/smtps iptables -A INPUT -i eth0 -p tcp -m mark --mark 0xE --dport 993 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m mark --mark 0xE --dport 465 -j ACCEPT # nat table iptables -t nat -A PREROUTING -p tcp -d 78.46.80.136 --dport 9993 -j MARK --set-mark 0xE iptables -t nat -A PREROUTING -p tcp -d 78.46.80.136 --dport 9993 -j REDIRECT --to-ports 993 iptables -t nat -A PREROUTING -p tcp -d 78.46.80.136 --dport 4465 -j MARK --set-mark 0xE iptables -t nat -A PREROUTING -p tcp -d 78.46.80.136 --dport 4465 -j REDIRECT --to-ports 465With these rules applied I use custom ports 9993 and 4465 to connect to IMAPS and SMTPS services. Connections to these ports are marked and redirected to default ports. Unmarked or direct connections to default ports are dropped (later in rules chain). Marked connection with mark
0xE are accepted.All internal applications left untouched and working because those service daemons run on all interfaces with unchanged port numbers.
And I'm finaly enjoying peace :)
Note: port numbers shown above are examples except default imaps/smtps ports (993, 465). Public IP address is owned by this blog web server.
date: Tue, 29 Jul 2014 14:08:00 +0000
link: CyberAsylum.eu/how-to-hide-known-public-services-without-affecting-internal-applications