[CentOS] firewall?

Tue Jul 19 09:59:30 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Sun, 17 Jul 2011, Always Learning wrote:

> If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard
> ports. Allocate a different IP address (if you have several) and use a
> non-web IP address for SSH and a different non-web IP address for
> phpmyadmin etc. WITH non-standard ports (you can go as high as about
> 64000). Also consider ONLY allowing access from predefined static IP
> addresses (under your control). Do not make it easy for the hackers.
> Give them a difficult time.

Running on non-default ports (especially high numbered ports) always strikes
me as the wrong way of doing things.  You've come out of the admin shelter of
low ports meaning you're now vulnerable to local attacks - if I can make ftp
(one of your examples) crash, I can potentially steal its port and run my own
ftp server, stealing everyone's password if I have a local account.  At the
same time, you're still vulnerable to plenty of scanning attacks.

If you want accessible services to be accessible, I say make them accessible,
and secure that service as much as you reasonably can.

If you want to restrict access to make it more secure, put them behind a VPN
or other protection.  That way you *really* get the security benefit that you
wanted in the first place.

jh