Subj : Re: OK, question time... To : Morgul #1 From : Surgical Steel #1@129.Wwivnet Date : Tue Feb 23 2021 06:09 pm -=> MORGUL #1 @8315 wrote to ALL <=- M#@> What can I do to make things more secure to protect the BBS and my M#@> internal network. Right now, when I activate it, only port 2323 is M#@> being allowed in and forwarded to my WWIV computer, a Rspberry Pi. Since `wwiv` is an isolated user, and shouldn't have sudo access, a lot of your typical issues won't be quite as big of a problem. On that note, though, if you have shared drives hooked up to the Pi, they should probably be read-only to help there. There's some fail2ban rules that work pretty well, though if you search for instructions it's... not great? So: ``` sudo apt install fail2ban sudo su - cd /etc/fail2ban cp jail.conf jail.local ``` Use the editor of your choice to edit jail.local. In particular, the ignoreip line: ``` ignoreip = 127.0.0.1/24 192.168.1.0/24 ``` That exempts localhost and LAN from checking. Then ``` touch /etc/fail2ban/jail.d/wwivd.conf touch /etc/fail2ban/filter.d/wwivd.conf ``` The first file (`/etc/fail2ban/jail.d/wwivd.conf`) should look like this: ``` [wwivd-telnet] enabled = true filter = wwivd port = 2323 logpath = /var/log/syslog findtime = 600 maxretry = 6 bantime = 3600 ignoreip = 127.0.0.1/24 192.168.1.0/24 action = iptables[name=WWIVD, port="2323", protocol=tcp] [wwivd-ssh] enabled = false filter = wwivd port = 2222 logpath = /var/log/syslog findtime = 600 maxretry = 6 bantime = 3600 ignoreip = 127.0.0.1/24 192.168.1.0/24 action = iptables[name=WWIVD, port="2222", protocol=tcp] ``` I do not have the ssh port open, so that jail is disabled. You can play with findtime, maxretry, and bantime as you like. The ignoreip is a duplicate, but it doesn't hurt. The second file (`/etc/fail2ban/filter.d/wwivd.conf`) should look like this: ``` # Fail2Ban filter for wwivd # # Cfr.: /var/log/(daemon\.|sys)log # [INCLUDES] # Read common prefixes. If any customizations available -- # read them from common.local before = common.conf [Definition] failregex = wwivd.*INFO\s+Accepted connection.*from:\s+ wwivd.*INFO\s+Trashcan.*:\s+ # Older formats of the log files. Uncomment this one if using # an older wwivd #failregex = wwivd.*INFO\s+Connection from:\s+$ # wwivd.*INFO\s+Accepted connection.*from:\s+$ # wwivd.*INFO\s+Trashcan.*:\s+ ignoreregex = ``` M#@> Also as a side note - I've got a dynamic IP from my provider. Anyone M#@> else deal with dynamic IP on your system, and still making it M#@> available to the outside? Namecheap (not my ISP, but who I have all my domains registered with) can allow you to have dynamic DNS tied to a registered domain name. I use `ddclient` (in the repos) to update things, and call it from a cronjob. Also, FreeDNS (https://freedns.afraid.org/) can also allow you to have dynamic IP attached to a subdomain and with updates using curl. Steven / Surgical Steel .xx$xxxxxx$xxxxxx$xxxxxx$xxxxxxxxxxxxxxxxxxx$xxxxxx$xxxxxx$xxxxxx$xx. Faith Collapsing BBS bbs.faithcollapsing.com:2323 WWIVnet@129 .xx$xxxxxx$xxxxxx$xxxxxx$xxxxxxxxxxxxxxxxxxx$xxxxxx$xxxxxx$xxxxxx$xx. .... Don't do something permanently stupid just because you're temporarily upset. --- MultiMail/Linux v0.52 --- WWIVToss v.1.52 * Origin: http://www.weather-station.org * Bel Air, MD -USA (11:1/101.0) .