h1

SSH, again! And Postfix too.

January 3, 2008

In the end I chickened out on letting the computer turned on while I was away with SSH open — I messed up with my crons about a week before leaving, which resulted in DynDNS cutting me out and just thinking of something like that happening again, my computer like a sitting duck on the Web while I can’t turn it off remotely was making me uncomfortable — just as well because I wouldn’t have had time to connect while away anyway. End of year celebrations are a bit crazy, and this one was… awkward, let’s say. Meh. While waiting for the plane (late of course), I started reading the SSH book and I love it. As soon as I came home last week I set up a pair of keys and damn, it really was that easy, took me like 2 minutes. I disabled authentication by password at the same time. I made a different key for my laptop as well. Don’t know what way would be the best, copying my desktop key all over the place or creating a different key for the three computers I connect with… I went with the second, feels righter — I’ll see.

After this I started toying with the idea of going back to port 22… More convenient… But I wanted to fix my cron problem first, so I could receive emails about what was going with sshd in the logs. Every message I see about cron and email in the Ubutu forums seem to be about people not wanting to receive those damn emails anymore, while I had the opposite problem, couldn’t receive anything.

I think one of the reasons I spent so many %£#@] hours on this is because that’s the third or fourth time I come back to it and all the stuff I messed with before messed up what I was doing now. For instance, I tried to use mailx with –verbose but my mailbox would remain empty of any status report, and the mail log would show <removed> or something like that. After two or three hours of just trying to change main.cf, purgeing and reinstalling and dpkg-reconfiguring postfix and mailx, I decided to flush my spam folder on Gmail for a break and what do I see… About 30 “Undelivered Mail to Sender” containing the messages I tried to send myself. I think my brain exploded about that time.

Then I remembered I’d set up a .forward file in my home folder with my gmail address. So instead of storing messages in my mailbox, they were directly forwarded to my email. Nice.

Now, why was I getting automatic Undelivered reports but when manually sending emails I would get ‘blablabla relay=none, delay=20, delays=0.12/0.03/20/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=mail1.eircom.net type=MX: Host not found, try again)’?

Well, I’ll spare the details because I spent so many bloody hours on this but the gist is this: when I read that relayhost should be smtp.isp.bla, I assumed that I should write down the smtp server address I use to send emails, i.e. mail1.eircom.net. Turns out I was wrong. Should just be relayhost = eircom.net — found that out while trying to telnet into eircom.net using port 25… I’d probably never have found it if I hadn’t reached the drone stage where I just try and try and try stuff, even the stupidest things that I’m sure won’t work but try anyway just-in-case. Knowing this, this post on Ubuntu-forums probably was enough to get the thing working in the first place. And the Undelivered report were there because in the lack of relay, I think Postfix tries to use the smtp server of the recipient (which gmail doesn’t like much).

I now receive a report every day that tells me that some dumb ass has tried 200 logins on my server, thus I’m off looking at how to configure ip tables to blacklist them automatically… This looks like a good starting point.

Advertisements

2 comments

  1. As for iptables, I would try something like this:

    iptables -A INPUT -p tcp -m state –syn –state NEW –dport ssh -m limit –limit 1/minute –limit-burst 1 -j ACCEPT

    iptables -A INPUT -p tcp -m state –syn –state NEW –dport ssh -j DROP

    Basically limits connection floods. You can change the “1/minute” part to whatever you want.


  2. Thanks for the input!

    A while ago I tried the following:

    iptables -A INPUT -p tcp –dport 22 -m limit –limit 2/minute –limit-burst 1 -j ACCEPT
    iptables -A INPUT -p tcp –dport 22 -j REJECT –reject-with tcp-reset

    and the only difference was that the scripts took 20 min instead of 5 when trying their 200 logins (…disappointing).

    The “tcp -m state –syn –state NEW” looks interesting… I’m going to try and see if it works as I think. Thanks for taking the time to post this!



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: