Last active
August 29, 2015 14:22
-
-
Save dreadwarrior/e254881e7808c67466eb to your computer and use it in GitHub Desktop.
Linux Server Diary
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Change root password after server provision | |
| 2. Create unprivileged user | |
| 3. Create SSH key pair on client machine and ssh-copy-id to user | |
| 4. Adjust /etc/ssh/sshd_config: | |
| PermitRootLogin no | |
| PubkeyAuthentication yes | |
| AllowUsers %user% | |
| PasswordAuthentication no | |
| TCPKeepAlive no | |
| UsePAM no | |
| 5. Prepare iptables | |
| - Protect against SSH Brute Force | |
| - Protect email daemon ports during setup | |
| *filter | |
| :INPUT ACCEPT [803:54262] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [479:50626] | |
| -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH_brute_force " | |
| -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP | |
| # @see http://www.cyberciti.biz/faq/iptables-block-port/ | |
| -A INPUT -p tcp -m tcp --dport 25 -j DROP | |
| -A INPUT -p tcp -m tcp --dport 143 -j DROP | |
| -A INPUT -p tcp -m tcp --dport 110 -j DROP | |
| COMMIT | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Taking e-mail back | |
| Part 1: http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/1/ | |
| Part 2: http://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-2-arming-your-server-with-postfix-dovecot/1/ | |
| Part 3: http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ | |
| Part 4: http://arstechnica.com/information-technology/2014/04/taking-e-mail-back-part-4-the-finale-with-webmail-everything-after/ | |
| Spamassassin sa-learn cronjob | |
| http://www.dovecot.org/list/dovecot/2008-January/028413.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment