# AntiPort scan
-A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
# Denie 2 second recent create 6 new connect per ip
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A
INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update
--seconds 2 --hitcount 6 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp --dport 80 -m limit --limit 3/sec --limit-burst 10 -j DROP
-A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 -j DROP
-A INPUT -p tcp -m string --string "string you want to block" --algo bm -j DROP
-A INPUT -p tcp -m string --string "string you want to block" --algo kmp -j DROP
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s "your IP" -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp --tcp-flags RST RST -j DROP
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
#-A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP
-A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
-A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
-A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,URG,PSH SYN,RST,ACK,FIN,URG,PSH -j DROP
-A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP
# Now allow for HTTP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp --syn -j DROP
-A INPUT -j REJECT
-A FORWARD -j REJECT
Thứ Năm, 22 tháng 8, 2013
Thứ Năm, 15 tháng 8, 2013
Fixing postfix and saslauthd: cannot connect to saslauthd
If you are having issues getting postfix email server to authenticate
with saslauthd, your solution might be found in a missing symlink.
Remember that postifx runs in a chroot environment.
I find the following warning message in /var/log/mail.log:
I find the following warning message in /var/log/mail.log:
warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
The warning message tells me that saslauthd can’t be located. The
real location is /var/spool/postfix/var/run/saslauthd, but postfix is
expecting to find it in /var/run/saslauthd. Create a symlink as
described below and see if that fixes your problem.
sudo ln -s /var/spool/postfix/var/run/saslauthd /var/run
sudo chown root:sasl /var/spool/postfix/var/run/saslauthd
sudo usermod -a -G sasl postfix
Be sure to restart postfix and saslauthd.sudo chown root:sasl /var/spool/postfix/var/run/saslauthd
sudo usermod -a -G sasl postfix
sudo /etc/init.d/postfix restart
sudo /etc/init.d/saslauthd restart
After restarting saslauthd, you should see some of the following files in /var/spool/postfix/var/run/saslauthd:sudo /etc/init.d/saslauthd restart
cache.flock cache.mmap mux/ mux.accept saslauthd.pid
Test using your smtp client and verify that you no long receive the
previous warning message in your mail.log file. Hopefully this was your
quick fix.
Thứ Ba, 13 tháng 8, 2013
Repo for Centos
For x64
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm && wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm && wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm && rpm -Uvh remi-release-*.rpm epel-release-*.noarch.rpm rpmforge-release-*.rpm
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm && wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm && wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm && rpm -Uvh remi-release-*.rpm epel-release-*.noarch.rpm rpmforge-release-*.rpm
and x86...
# wget http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm && wget http://rpms.famillecollet.com/enterprise/remi-release-5.rpm && wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.x86_64.rpm && rpm -Uvh remi-release-5*.rpm epel-release-5*.rpm rpmforge-release-*.rpm
for both of them.
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
Đăng ký:
Nhận xét (Atom)