Re: [SOLVED] iptables rule question for Centos 5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 08/04/2012 01:43 AM, Keith Roberts wrote:
> On Fri, 3 Aug 2012, SilverTip257 wrote:
>
>> To: CentOS mailing list <centos@xxxxxxxxxx>
>> From: SilverTip257 <silvertip257@xxxxxxxxx>
>> Subject: Re:  [SOLVED] iptables rule question for Centos 5
>>
>> Marvin,
>>
>> You're leaving SSH open to the world with that.
>> If this is a box behind a firewall, then it's not _as much of a
>> concern_ ... otherwise you're opening that server up to ssh brute
>> force attempts.
>>
>> Your existing configuration is probably set up to drop/reject if
>> traffic does not match any of your rules, so you've nearly solved the
>> "blocking all other traffic" from server2.  But you really should put
>> a specific rule on server1 with source as server2 and dest port 22
>> being accepted.
>>
>> -s server2 -p tcp --dport 22 -j ACCEPT
> Or move the SSH port to a non-standard one?
>

Moving the port to a non-standard port is better than nothing ... but
only be a very slight bit.  It might work on the least knowledgeable
script kiddies who only look at port 22, but it will do nothing to hide
the fact that it is an open to the world ssh port on an nmap scan, etc.

Three much better options are:

1.  Use a --source in the IPTABLES rules if you only connect from a
limited number of places.
2. Some kind of VPN (like openvpn)
3. Port Knocking:  http://www.portknocking.org/view/faq

2 and 3 can both be open from everywhere, and all 3 do not show as an
open ssh port from remote scans, which is what you want.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux