[CentOS] Security advice, please

Mon Mar 23 19:50:54 UTC 2009
Anne Wilson <cannewilson at googlemail.com>

On Monday 23 March 2009 19:33:58 JohnS wrote:
> On Mon, 2009-03-23 at 18:37 +0000, Anne Wilson wrote:
> > > Her's another example it will do what you want, your just
> > > misunderstanding it. I have 2 customers that use Netgear routers. I
> > > think your not setting up the Nat - Add Page.
> > > http://portforward.com/english/routers/port_forwarding/Netgear/DG834G/e
> > >Mule .htm One thing are you using it for the DSL or another modem/router
> > > for dsl? If your using two only one can be Natted and the other Main
> > > router in Bridged Mode.
> >
> > The router is also the DSL modem.
>
> Ahh, and a warning about that. Make sure after you get the port fowarding
> working that the router is not wide open. Meaning every port open. Zyxel
> and Netgear are very similiar in design (software) and both of them have
> this problem. This only occurs when it is in the routing mode
>
As far as I can see it defaults to outward traffic being open, but inward 
traffic blocked apart from the rules I set.

> > OK - I'm thick.  I've looked at that page and seen only what I'm already
> > familiar with.  Please, in plain English, how do I set ssh to come in on
> > port 22022 (service called ext-ssh already set up for that) to be
> > forwarded to 192.168.0.xx port 22?
>
> If you can hold your horses I may can tell you in Plain Eng later on. At
> the moment I am not directly in front of one and the ones I have access
> to can not be accessed over the WAN. This would be later EST Time
> Tonight.
>
It's not hugely urgent - I'd like to get it set up and working before the end 
of the week.  If you reply later today I'll see it tomorrow, and that is just 
fine.

> It gives you a choice of what ports you want the service to use. You
> simply have to enter the numbers into the empty boxes (choose Custom
> Service).  IE; you will have to make a Custom Service.
>
> Looking at your port choice from a Social Engineering Stand Point your
> defeating the purpose of port masking. Choosing port 22022 tells me that
> you have ssh running on a server.  Non the less you can also do what
> Steve said.
>
I'll look at both options, once I've seen your next reply.  I'm aware that 
this is not locked-down security, just that it will deter the casual poke-
around merchants.  Once I'm convinced that I have it working it will be 
disabled except for the periods when I'm away from home.  (I do know that 
works, because last time I was away I forgot to re-enable the imap service, 
and I couldn't get in.)

Anne
-- 
New to KDE4? - get help from http://userbase.kde.org
Just found a cool new feature?  Add it to UserBase
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20090323/fdeada62/attachment-0003.sig>