Jakub Czajka [Fri, 7 Oct 2022 17:31:10 +0000 (19:31 +0200)]
[postfix] Rewrite sender for outgoing email.
`myorigin` specifies the address of outgoing email (user@domain). It
defaults to `$myhostname = gethostname()`. This allows rewriting the
sender of outgoing email without changing configuration.
Jakub Czajka [Sun, 25 Sep 2022 19:35:16 +0000 (21:35 +0200)]
[sshd] Disable reverse DNS checks.
By default `sshd` compares the IP address of the client with the
result of a reverse DNS query for that address. However, many clients
do not have reverse DNS records. This commit disables the check.
Jakub Czajka [Sun, 25 Sep 2022 17:44:41 +0000 (19:44 +0200)]
[sshd] Limit the number of alive messages.
`sshd` keeps idle connection alive for `ClientAliveInterval` seconds
and then sends `ClientAliveCountMax` alive messages. If client does
not respond, `sshd` terminates the connection. This commit limits the
number of alive messages to 1.
Note: `ClientAliveCountMax` applies only to SSH protocol 2.
Jakub Czajka [Sun, 25 Sep 2022 15:27:55 +0000 (17:27 +0200)]
[sshd] Listen on a non-standard port.
By default `sshd` listens on port 22. Most attack scripts are written
for this configuration. This commit changes the port to 72, which is
not used by any other popular service.
Jakub Czajka [Sun, 25 Sep 2022 15:11:45 +0000 (17:11 +0200)]
[sshd] Disable password authentication.
Client can authenticate with `sshd` through one of following
authentication methods (corresponding sshd_config option in brackets):
- host-based (`HostbasedAuthentication`),
- public key (`PubkeyAuthentication`),
- challenge-response (`ChallengeResponseAuthentication`),
- password (`PasswordAuthentication`).
By default, only `PubkeyAuthentication` and `PasswordAuthentication`
are enabled. This commit disables `PasswordAuthentication`. Users
can now login only using public key authentication.
projects / server.git / log