How to hide known public services without affecting internal applications

It's only a matter of time when one gets annoyed by dictionary attacks to your server exposed on public network. Of course I can use fail2ban or denyhosts (as I used for long time) but it will costs some performance. Also I was noticed with logcheck and logwatch about every unsuccessfull auth attempts and to turn it off isn't the best idea.

So I was really pissed-off with this and I started with default port change to custom one for SSH daemon. To achieve real peace there is also need to handle mail subsystem in this way. While to change that port for SSH was simple and without noticable impact, default ports for IMAPS and SMTPS are used in my scenario by some internal applications and clients connecting via VPN.

I decided to use iptables to protect public ports of these services by obscurity.
See the rules bellow.
 # custom imaps/smtps
 iptables -A INPUT -i eth0 -p tcp -m mark --mark 0xE --dport 993 -j ACCEPT
 iptables -A INPUT -i eth0 -p tcp -m mark --mark 0xE --dport 465 -j ACCEPT
 # nat table
 iptables -t nat -A PREROUTING -p tcp -d --dport 9993 -j MARK --set-mark 0xE
 iptables -t nat -A PREROUTING -p tcp -d --dport 9993 -j REDIRECT --to-ports 993
 iptables -t nat -A PREROUTING -p tcp -d --dport 4465 -j MARK --set-mark 0xE
 iptables -t nat -A PREROUTING -p tcp -d --dport 4465 -j REDIRECT --to-ports 465
With these rules applied I use custom ports 9993 and 4465 to connect to IMAPS and SMTPS services. Connections to these ports are marked and redirected to default ports. Unmarked or direct connections to default ports are dropped (later in rules chain). Marked connection with mark 0xE are accepted.

All internal applications left untouched and working because those service daemons run on all interfaces with unchanged port numbers.
And I'm finaly enjoying peace :)

Note: port numbers shown above are examples except default imaps/smtps ports (993, 465). Public IP address is owned by this blog web server.

author: (Jaroslav Petráš)

date: Tue, 29 Jul 2014 14:08:00 +0000