On 04/04/2014 06:22 AM, Dan McAllister wrote:
I'm very much not a fan of re-assigning well-known-ports to other
locations (like FTP or SSH).
Most of us admins have static IPs where we work, if not where we live.
If you try to SSH into any of my servers (other than just 1 that is
not especially public), you'll be denied (connection dropped).
I can get in because of my [source] IP address and my iptables rules.
That's certainly a better solution than "security by obscurity". I'm not
sure I'd feel comfortable with only one IP having access though. Might
want to have a backup or two.
I also use a "trigger port" (try to open this "odd" port and it will
fail -- but my SSH port will be OPEN for 3 minutes!
"Port knocking" (I believe it's called) sounds cool to me. You can
conceivably combine multiple port numbers into a combination lock of
sorts. I haven't implemented this personally.
Just some ideas
Thanks Dan. Nice ideas that aren't QMT specific, but I think should be
incorporated where feasible. We can at least document this type of thing
in the wiki.
--
-Eric 'shubes'
Dan
On 4/3/2014 2:56 PM, Eric Shubert wrote:
ftp uses a variety of ports in pasv mode. What works for me is to
limit the ports used for data in the ftp configuration, and open
those ports in the firewall.
If you use vsftpd, the pasv_min_port and pasv_max_port lets you
define this range of ports. If you only have one user, you can use
the same port for min and max.
You probably should also change the listen_port so you're not using
standard ports at all. Same rationale as not using ssh on port 22. I
generally don't believe in security by obscurity, but at least it
keeps the script kiddies at bay.
(Wild in the West)
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com