On Thu, Aug 7, 2008 at 11:53 PM, Ray Leventhal <centos at swhi.net> wrote: > > My US$0.02 on this.....I'm a fan of apf as a front-end to iptables...but it > takes some reading to understand the switches and the entire RAB (reactive > address blocking) configuration options. Sadly, RAB is poorly documented, > but with a bit of tinkering, I've enjoyed this feature tremendously as it > cuts down on the hammering I used to get to port 22 by the bots and script > kiddies. Sad to say my usual tasks keep me sufficiently occupied that I hardly have the time to study what APF actually does. It came with ELS (Easy Linux Security) scripts with directadmin, sounds like A Good Idea (tm) so I just installed it. Personally I'm aghast at the manner in which I'm running the server but practically there is only that much time I can devote to being the server admin. If you've a static IP at your workstation, add your IP address to the apf > nicely formed 'allow_hosts.rules' file, usually located in /etc/apf. This > is a simple IP address or IP block list (using slash notation, i.e. > 192.168.1.0/24) to allow access to an IP or range of IPs. Further, the > deny_hosts.rules list is the same format for hosts to always deny. I had considered this allowed only x.x.x.x ip strategy very early on since it appeared to be an obvious way to head off attacks/probes from external parties. Unfortunately, like most folks, I'm on dynamic IP. My primary role also requires me to run around very often, necessitating urgent administration from a variety of potential sub-networks from whichever ISP happens to be providing access at the location. So I figured it would be quite impractical to attempt to limit access to only certain IP addresses. Although thinking about it now, extending the concept from a previous suggestion, I suppose it is theoretically possible to write a privileged script accessible from one of the server hosted domains to activate an allow-host rule addition to the firewall and a cronjob that routinely activates another script to removed added hosts after 1 hour or something. So anytime access is needed, I would hit the website to activate the script to open up SSH access to the IP I am using at the moment and then SSH in. But of course, easier said than done since I barely know shell scripting and allowing exec in PHP had always been met with a big frown personally. :D -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080811/8c1439b0/attachment-0004.html>