[CentOS] firewall?

Sun Jul 17 00:03:30 UTC 2011
John R. Dennison <jrd at gerdesas.com>

On Sun, Jul 17, 2011 at 12:03:52AM +0100, Always Learning wrote:
> 
> If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard
> ports. Allocate a different IP address (if you have several) and use a
> non-web IP address for SSH and a different non-web IP address for
> phpmyadmin etc. WITH non-standard ports (you can go as high as about
> 64000). Also consider ONLY allowing access from predefined static IP
> addresses (under your control). Do not make it easy for the hackers.

The reality of the situation is that attacks are in almost all cases
non-targeted and are the results of automated scanning; playing security
through obscurity tricks with IP addresses is as futile as attempting to
herd kittens.

You should not be running ftp at all; ftp should be allowed to die off
as it's insecure just as is any protocol that transits credentials on
the wire in plaintext.  ftps is better; sftp/scp/rsync is better still.

phpmyadmin is a recipe for tears of blood; moving ports is better than
leaving it on 80/tcp, but better would be to not run it at all on a
routable IP.

In the cases of a targeted attack the attacker(s) will find your
services no matter what ports you have them hanging off of.

And TCP port numbers range from 0 to 65535.




							John
-- 
The First Law of Holes:

"It is a good thing to follow the First Law of Holes: if you are in one, stop
digging." - Denis Healy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20110716/a0d5f4f0/attachment-0005.sig>