##############################################################################
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
##############################################################################
# Uncomment to allow DNS zone transfers
#
$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
RTKS said:You can get down to that line by hitting the j key until you are at the pound sign. If you go too far, kit the k key to go up.
Once at the #, hit x to delete the pound sign.
Then hit the l key to get over to the first 0. Again if you go too far, hit h to back up.
Now hit R (has to be capital) and type in your "non-public" address. When you're done hit the ESCape key. Then save your work by typing a colon and then wq and hit return wq).
RTKS said:I've decided to restrict SSH access to one "non-public" IP address and thought it might be good to add to this checklist?
thuskey said:If you really want to be anal, move the port for the ssh listener deamon to something like 8022 and then throw a portsentry listener on port 22 that would immediately firewall all unauthorized access. This will stop an attacker immediately from proceeding onto other vulnerable ports because portsentry will issue an iptables drop rule against the attempted connectors IP address. Of course you will want to add your home/office IP's to the exclude list because you WILL accidentally try to connect to the original port yourself once and a while out of habit.
jlasman said:Here's my /etc/sysconfig/ipchains file (if you use iptables you'll have to do the conversion yourself)...
(and if you keep reading afterwards I'll tell you what all those ports from 49152 through 49161 are for)...
Those ports from 49151 through 49162 are left open for proftpd to be able to do passive ftp...Code:-A input -s 0/0 -d 0/0 143 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 53 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 113 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 113 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 443 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 2222 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 2222 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 123 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 -i lo -j ACCEPT -A input -s 0/0 53 -d 0/0 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 66 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 66 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT -A input -s 0/0 -d 0/0 -p udp -j REJECT
And here's the code you need to put into /etc/proftpd.conf to tell proftpd to use these open ports (I put it right after the Port line):
Code:##### added to make passive transfer work # use part of the IANA registered ephemeral port range PassivePorts 49152 49161 ####
Jeff