Re: firewall?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, Jul 17, 2011 at 12:03:52AM +0100, Always Learning wrote:
> 
> If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard
> ports. Allocate a different IP address (if you have several) and use a
> non-web IP address for SSH and a different non-web IP address for
> phpmyadmin etc. WITH non-standard ports (you can go as high as about
> 64000). Also consider ONLY allowing access from predefined static IP
> addresses (under your control). Do not make it easy for the hackers.

The reality of the situation is that attacks are in almost all cases
non-targeted and are the results of automated scanning; playing security
through obscurity tricks with IP addresses is as futile as attempting to
herd kittens.

You should not be running ftp at all; ftp should be allowed to die off
as it's insecure just as is any protocol that transits credentials on
the wire in plaintext.  ftps is better; sftp/scp/rsync is better still.

phpmyadmin is a recipe for tears of blood; moving ports is better than
leaving it on 80/tcp, but better would be to not run it at all on a
routable IP.

In the cases of a targeted attack the attacker(s) will find your
services no matter what ports you have them hanging off of.

And TCP port numbers range from 0 to 65535.




							John
-- 
The First Law of Holes:

"It is a good thing to follow the First Law of Holes: if you are in one, stop
digging." - Denis Healy

Attachment: pgpZ5nZoIy2Za.pgp
Description: PGP signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux