Re: [SLUG] editing iptables on Centos
On Wed, December 27, 2006 10:26 am, Alexander Stanley wrote: configure it to a non-standard port (12435 or something that nobody else would think of it immediately) and/or configure it against your own IP address so that only you can access webmin. This can be done with something like this: # iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 12435 -j ACCEPT thanks, Alex what's the range of acceptable non-standard port #s for webmin and ssh, can I use any 5 digit number ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Voytek Eymont wrote: On Wed, December 27, 2006 10:26 am, Alexander Stanley wrote: configure it to a non-standard port (12435 or something that nobody else would think of it immediately) and/or configure it against your own IP address so that only you can access webmin. This can be done with something like this: # iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 12435 -j ACCEPT thanks, Alex what's the range of acceptable non-standard port #s for webmin and ssh, can I use any 5 digit number ? G'day again, To be honest I'm not 100% sure. From memory anything about 10,000 is considered fine, but I've usually got for numbers with significance by stringing together birthday dates with a random number to join them. So, take Australia day (26th of the 1st Month and go) 26901 for webmin :) Or takes the ages of two people and another number (or the age of a place you work or live or something). Hope it helps. Hoo Roo, Alex. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFkvtIqiAqtUUyjdYRAgmUAJ9G+s1Fd8S5z19h+i5Ae+2f7dKOgACgpVaH 97Y+kg3GH2v+1orXTSEX+Fk= =MUYp -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On 28/12/06, Alexander Stanley [EMAIL PROTECTED] wrote: Voytek Eymont wrote: what's the range of acceptable non-standard port #s for webmin and ssh, can I use any 5 digit number ? G'day again, To be honest I'm not 100% sure. From memory anything about 10,000 is considered fine, but I've usually got for numbers with significance by stringing together birthday dates with a random number to join them. So, take Australia day (26th of the 1st Month and go) 26901 for webmin :) Or takes the ages of two people and another number (or the age of a place you work or live or something). $ perl -e 'print int rand 65536, \n' I don't think there is any practical limitation above 1024 or so, except for the unofficial protocols like backorifice and friends. --P -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Penedo wrote: On 28/12/06, Alexander Stanley [EMAIL PROTECTED] wrote: Voytek Eymont wrote: what's the range of acceptable non-standard port #s for webmin and ssh, can I use any 5 digit number ? G'day again, To be honest I'm not 100% sure. From memory anything about 10,000 is considered fine, but I've usually got for numbers with significance by stringing together birthday dates with a random number to join them. So, take Australia day (26th of the 1st Month and go) 26901 for webmin :) Or takes the ages of two people and another number (or the age of a place you work or live or something). $ perl -e 'print int rand 65536, \n' I don't think there is any practical limitation above 1024 or so, except for the unofficial protocols like backorifice and friends. --P G'day Penedo and others, Yes, anything above 1024 is nice, but a lot of people have thrown in the unofficial protocols as you said and I find most of them reside between 1024 and 10,000 (all though there are a few outlying ones). Best bet is usually an obscurely high number ;) Hoo Roo, Alex. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFkyQ1qiAqtUUyjdYRAt3DAJ4/NrNTwDRuFzRx4wZzt0kfJYlOmwCgnG+C 7xS8nJFFNPS+11nj/IegiM0= =YMiL -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On Tue, December 26, 2006 12:33 pm, [EMAIL PROTECTED] wrote: On Monday 25 December 2006 05:43, [EMAIL PROTECTED] wrote: On Sat, December 23, 2006 6:28 pm, Andreas Fischer wrote: Well suse is a good solution. YAST is a very nice sys-admin tool, the best I've used, and yast (vs yast2) is a curses based version that makes remote GUI-type admin a cinch (without X). James, thanks that's not going to run on Centos, or is it ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Voytek Eymont wrote: On Tue, December 26, 2006 12:33 pm, [EMAIL PROTECTED] wrote: On Monday 25 December 2006 05:43, [EMAIL PROTECTED] wrote: On Sat, December 23, 2006 6:28 pm, Andreas Fischer wrote: Well suse is a good solution. YAST is a very nice sys-admin tool, the best I've used, and yast (vs yast2) is a curses based version that makes remote GUI-type admin a cinch (without X). James, thanks that's not going to run on Centos, or is it ? G'day guys, In terms of a web-gui you could employ webmin ( www.webmin.com from memory ). As for a GUI based tool I don't know any that work too well. I find manually doing iptables a few times a month keeps you in practice :) Hoo Roo, Alex. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFkSmnqiAqtUUyjdYRAnBeAKCobcyUiBrlCE+GDBfDBMgqLn3pjwCgjVRP tv5VTlIzfd3PV7MNIryWBVg= =J/1q -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On Wed, December 27, 2006 12:55 am, Alexander Stanley wrote: G'day guys, In terms of a web-gui you could employ webmin ( www.webmin.com from memory ). As for a GUI based tool I don't know any that work too well. I find manually doing iptables a few times a month keeps you in practice :) thanks, Alex of course, I'll need to open port 1 somewhow before I can use that... (but, yes, I think I'll install webmin anyhow) -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On Wednesday 27 December 2006 07:54, [EMAIL PROTECTED] wrote: Well suse is a good solution. YAST is a very nice sys-admin tool, the best I've used, and yast (vs yast2) is a curses based version that makes remote GUI-type admin a cinch (without X). James, thanks that's not going to run on Centos, or is it ? yast is GPL, but YMMV in getting it running on centos. I guess that I'm saying is that for my commercial customers I use suse and remote sys admin is a cinch for them. I've found fedora, (redhat) and ubuntu tools to be somewhat fragmented and X intensive. Of course you can do *everything* with vi, and when that's easier I do, but when its not ... James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On Wednesday 27 December 2006 07:54, [EMAIL PROTECTED] wrote: On Sat, December 23, 2006 6:28 pm, Andreas Fischer wrote: Well suse is a good solution. YAST is a very nice sys-admin tool, the best I've used, and yast (vs yast2) is a curses based version that makes remote GUI-type admin a cinch (without X). James, thanks that's not going to run on Centos, or is it ? G'day guys, In terms of a web-gui you could employ webmin ( www.webmin.com from memory ). As for a GUI based tool I don't know any that work too well. I find manually doing iptables a few times a month keeps you in practice :) For information and interest, no soap box in sight ... I did all of my iptables and masq setup with yast except OpenVPN tun stuff which was a one-liner in the Suse-firewall-custom script so mail, ssh on a secret port, www, dns and pop as well. James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Voytek Eymont wrote: On Wed, December 27, 2006 12:55 am, Alexander Stanley wrote: G'day guys, In terms of a web-gui you could employ webmin ( www.webmin.com from memory ). As for a GUI based tool I don't know any that work too well. I find manually doing iptables a few times a month keeps you in practice :) thanks, Alex of course, I'll need to open port 1 somewhow before I can use that... (but, yes, I think I'll install webmin anyhow) G'day Voytek, The port doesn't have to be port 10,000 actually. On the note of opening port 10,000 (or any port) for webmin, try something like this: # iptables -A INPUT -p tcp --dport 1 -j ACCEPT Closing the port can be done with: # iptables -D INPUT -p tcp --dport 1 -j ACCEPT To run these commands you will need to ssh in (so PuTTy looks like a good candidate). I'd suggest you download the latest webmin tarball and configure it to a non-standard port (12435 or something that nobody else would think of it immediately) and/or configure it against your own IP address so that only you can access webmin. This can be done with something like this: # iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 12435 -j ACCEPT And again, closing is just changing the -A to -D # iptables -D INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 12435 -j ACCEPT I'm a little rusty on the whole thing, but that looks right to me (others feel free to correct me if I'm wrong). Hoo Roo, Alex. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFka9nqiAqtUUyjdYRAkWMAJsGctfJeOOPFBnb4Fyh4gyn1+EHrwCgrgpM cAZ5Udg4d+0V9Q+3XXmJE6A= =WTX2 -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On Monday 25 December 2006 05:43, [EMAIL PROTECTED] wrote: On Sat, December 23, 2006 6:28 pm, Andreas Fischer wrote: thanks, I'd prefer to use some utility, but, I only have ssh access; is there something that will run over ssh ? otherwise I'm stuck with editing the conf files Can't you just enable X forwarding over your ssh connection? Andreas, I guess I could, though suspect it wouldn't do much for me: I don't have X on the remote machine; I don't have X on anything here; I don't have any Linux system here; and, lastly, I don't have hardware that would run X at acceptable performance. On 12/23/06, Voytek Eymont [EMAIL PROTECTED] wrote: On Sat, December 23, 2006 2:44 pm, donohueb wrote: you may prefer to manually write iptables, however I use a nice front end called guarddog. Ben Well suse is a good solution. YAST is a very nice sys-admin tool, the best I've used, and yast (vs yast2) is a curses based version that makes remote GUI-type admin a cinch (without X). James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On Sat, December 23, 2006 6:28 pm, Andreas Fischer wrote: thanks, I'd prefer to use some utility, but, I only have ssh access; is there something that will run over ssh ? otherwise I'm stuck with editing the conf files Can't you just enable X forwarding over your ssh connection? Andreas, I guess I could, though suspect it wouldn't do much for me: I don't have X on the remote machine; I don't have X on anything here; I don't have any Linux system here; and, lastly, I don't have hardware that would run X at acceptable performance. On 12/23/06, Voytek Eymont [EMAIL PROTECTED] wrote: On Sat, December 23, 2006 2:44 pm, donohueb wrote: you may prefer to manually write iptables, however I use a nice front end called guarddog. Ben -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
Hi Voytek, you may prefer to manually write iptables, however I use a nice front end called guarddog. Ben Voytek Eymont wrote: I've setup Centos 4.4 with default firewall setup, to allow http/smtp/ssh/ftp; I didn't see any option to add additional exceptions in install screens; I'd like to allow MySQL/3306 access looking at /etc/sysconfig/iptables, the tail of file has like: - -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT -- can I just add like, after 'dport 25' line; -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT the first line of this file reads: # Manual customization of this file is not recommended. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On Sat, December 23, 2006 2:44 pm, donohueb wrote: you may prefer to manually write iptables, however I use a nice front end called guarddog. Ben thanks, I'd prefer to use some utility, but, I only have ssh access; is there something that will run over ssh ? otherwise I'm stuck with editing the conf files -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
On Saturday 23 December 2006 15:18, Voytek Eymont wrote: On Sat, December 23, 2006 2:44 pm, donohueb wrote: you may prefer to manually write iptables, however I use a nice front end called guarddog. Ben thanks, I'd prefer to use some utility, but, I only have ssh access; is there something that will run over ssh ? otherwise I'm stuck with editing the conf files I like shorewall. It takes away the risk of writing dud rules and is easy yet powerful to configure. Regards Joseph -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] editing iptables on Centos
thanks, I'd prefer to use some utility, but, I only have ssh access; is there something that will run over ssh ? otherwise I'm stuck with editing the conf files Can't you just enable X forwarding over your ssh connection? On 12/23/06, Voytek Eymont [EMAIL PROTECTED] wrote: On Sat, December 23, 2006 2:44 pm, donohueb wrote: you may prefer to manually write iptables, however I use a nice front end called guarddog. Ben thanks, I'd prefer to use some utility, but, I only have ssh access; is there something that will run over ssh ? otherwise I'm stuck with editing the conf files -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html