On Thu, Aug 7, 2008 at 11:53 PM, Ray Leventhal <centos@xxxxxxxx> wrote:
Sad to say my usual tasks keep me sufficiently occupied that I hardly have the time to study what APF actually does. It came with ELS (Easy Linux Security) scripts with directadmin, sounds like A Good Idea (tm) so I just installed it. Personally I'm aghast at the manner in which I'm running the server but practically there is only that much time I can devote to being the server admin.
I had considered this allowed only x.x.x.x ip strategy very early on since it appeared to be an obvious way to head off attacks/probes from external parties. Unfortunately, like most folks, I'm on dynamic IP. My primary role also requires me to run around very often, necessitating urgent administration from a variety of potential sub-networks from whichever ISP happens to be providing access at the location. So I figured it would be quite impractical to attempt to limit access to only certain IP addresses.
Although thinking about it now, extending the concept from a previous suggestion, I suppose it is theoretically possible to write a privileged script accessible from one of the server hosted domains to activate an allow-host rule addition to the firewall and a cronjob that routinely activates another script to removed added hosts after 1 hour or something. So anytime access is needed, I would hit the website to activate the script to open up SSH access to the IP I am using at the moment and then SSH in.
But of course, easier said than done since I barely know shell scripting and allowing exec in PHP had always been met with a big frown personally. :D
My US$0.02 on this.....I'm a fan of apf as a front-end to iptables...but it takes some reading to understand the switches and the entire RAB (reactive address blocking) configuration options. Sadly, RAB is poorly documented, but with a bit of tinkering, I've enjoyed this feature tremendously as it cuts down on the hammering I used to get to port 22 by the bots and script kiddies.
Sad to say my usual tasks keep me sufficiently occupied that I hardly have the time to study what APF actually does. It came with ELS (Easy Linux Security) scripts with directadmin, sounds like A Good Idea (tm) so I just installed it. Personally I'm aghast at the manner in which I'm running the server but practically there is only that much time I can devote to being the server admin.
If you've a static IP at your workstation, add your IP address to the apf nicely formed 'allow_hosts.rules' file, usually located in /etc/apf. This is a simple IP address or IP block list (using slash notation, i.e. 192.168.1.0/24) to allow access to an IP or range of IPs. Further, the deny_hosts.rules list is the same format for hosts to always deny.
I had considered this allowed only x.x.x.x ip strategy very early on since it appeared to be an obvious way to head off attacks/probes from external parties. Unfortunately, like most folks, I'm on dynamic IP. My primary role also requires me to run around very often, necessitating urgent administration from a variety of potential sub-networks from whichever ISP happens to be providing access at the location. So I figured it would be quite impractical to attempt to limit access to only certain IP addresses.
Although thinking about it now, extending the concept from a previous suggestion, I suppose it is theoretically possible to write a privileged script accessible from one of the server hosted domains to activate an allow-host rule addition to the firewall and a cronjob that routinely activates another script to removed added hosts after 1 hour or something. So anytime access is needed, I would hit the website to activate the script to open up SSH access to the IP I am using at the moment and then SSH in.
But of course, easier said than done since I barely know shell scripting and allowing exec in PHP had always been met with a big frown personally. :D
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
