iptables questions

Hello,

You could try adding this to your script before allowing individual services :

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Regards,

Nrth.

Or after. It depends on what you want the counters on the rules to count.

- Place it before if the counters should count the number of sessions opened.

- Place it after if the counters should count the number of bytes per protocol. However, I don't believe it's the cause of your problem. Consider also TCP packet fragmentation.

Also:

1 - smtps need not be opened. Usually, it's done via smtp and issuing a starttls command. 2 - It's a bad idea to have ssh open to the world (all IP addresses). Consider restricting it. 3 - No rule for UDP domain requests (to match TCP requests - assuming you run a name server).

And why exactly would that be?

cu

59cobalt

Is that a serious question? Chris

If the ssh server is properly secured, yes, it is a serious question.

Yours, VB.

Yes. I entirely fail to see why allowing connections from anywhere to a properly configured SSH server would count as a bad idea.

cu

59cobalt

addresses).

1) It is often not necessary. Usually, only a server administrator should have such access - and that access will usually be from a very small range of addresses. 2) It invites worldwide hack attempts. Even if rate limited, I have found that there are scanners that test only for open SSH ports, and when they find one, start throwing dictionary attack ID/PW combinations at them. On unix, once in (and with root access - which is usually the ID attacked), a simple "rm -rf /" and kiss your server goodbye.

PROPER computer security is to deny all except the MINIMUM needed to provide a function or service. By leaving it worldwide open, you're not doing that.

If that's what you choose to do (leave it open worldwide), my next question is: Are you really that stupid?

There may be scenarios where access can be restricted to a limited range of IP addresses. However, that doesn't make not restricting the source address range a bad idea.

So?

a) With public key authentication enforced that isn't an issue at all. b) Even more if you use AllowUsers or AllowGroups to grant access only to particular users or groups. c) Tools like DenyHosts or fail2ban limit the impact of brute-force attempts even more.

That's what backups and system recovery procedures are for.

I've found that you always run into scenarios where you need to log into a server from somewhere you never guessed before. ACTUAL proper security is to maintain functionality while reducing the risk of break-ins to a minimum.

Look, dimwit, just because you failed to understand how SSH can be secured appropriately doesn't mean the same would apply to the rest of the world.

cu

59cobalt