[CentOS-mirror] Firewall Set-up for CentOS Mirror

Fri Oct 26 18:18:24 UTC 2018
Tails Hon1nbo <hon1nbo+mirror at hackingand.coffee>

We use PfSense running HA Proxy (which is a plugin available naively to
PfSense), which acts as our TLS termination for the public certificates
(internal servers have internal certs) as well as our load balancers. TLS
certs are managed with the ACME plugin for Let's Encrypt, and the Intel
processor is using AES-NI to speed up the TLS.

overall for security just using a static service for serving the content
solves most attack vectors, as there aren't any CGI or related scriptlets
running server side.
Cut off public SSH (if required some advocate alternate ports, but this
isn't so much as intrusion prevention as to prevent lock outs caused by
spam bots). SSH should be using key based authentication.

For ciphers and modes for TLS / SSH etc, I recommend checking out
cipherli.st and the Mozilla TLS guidelines. Cipherli.st has an up to date
set of configs for most software TLS/SSH settings, and the Mozilla guide
has better explanations of how these modes work and what they do.

For PfSense I allow our management pages externally since they also run our
VPN (users can download a client), but if you don't need that I would cut
off external access to PfSense.

I setup a rule to allow ports 80,443,873 to HAProxy (via PfSense, set to
allow to a single host which is the IP HAProxy is listening on). For
HAProxy it does a simple TCP socket check for 873 since Rsync isn't a
supported mode in HAProxy, so if the socket is open it just balances
between the servers.


On Fri, Oct 26, 2018 at 1:12 PM Ken Young <kenyis at rogers.com> wrote:

> Hello,
> My name is Ken Young and I am working with the StarlingX Open Source
> community to set up a mirror of all our 3rd Party dependency code and
> CentOS.  We currently have a prototype running but we would like to harden
> the security measures we have in place for the server.  For example, we
> would like to move this server behind an external firewall.
> Would you be willing to share what security hardening you have completed
> for your mirrors?  Any information would be greatly appreciated.
> Thank you in advance.
> Regards,
> Ken Y
> _______________________________________________
> CentOS-mirror mailing list
> CentOS-mirror at centos.org
> https://lists.centos.org/mailman/listinfo/centos-mirror

 This message contains confidential information and is intended only for 
the individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20181026/7812f1dc/attachment-0006.html>