[CentOS] [SOLVED] iptables rule question for Centos 5

Sat Aug 4 07:37:54 UTC 2012
Johnny Hughes <johnny at centos.org>

On 08/04/2012 01:43 AM, Keith Roberts wrote:
> On Fri, 3 Aug 2012, SilverTip257 wrote:
>> To: CentOS mailing list <centos at centos.org>
>> From: SilverTip257 <silvertip257 at gmail.com>
>> Subject: Re: [CentOS] [SOLVED] iptables rule question for Centos 5
>> Marvin,
>> You're leaving SSH open to the world with that.
>> If this is a box behind a firewall, then it's not _as much of a
>> concern_ ... otherwise you're opening that server up to ssh brute
>> force attempts.
>> Your existing configuration is probably set up to drop/reject if
>> traffic does not match any of your rules, so you've nearly solved the
>> "blocking all other traffic" from server2.  But you really should put
>> a specific rule on server1 with source as server2 and dest port 22
>> being accepted.
>> -s server2 -p tcp --dport 22 -j ACCEPT
> Or move the SSH port to a non-standard one?

Moving the port to a non-standard port is better than nothing ... but
only be a very slight bit.  It might work on the least knowledgeable
script kiddies who only look at port 22, but it will do nothing to hide
the fact that it is an open to the world ssh port on an nmap scan, etc.

Three much better options are:

1.  Use a --source in the IPTABLES rules if you only connect from a
limited number of places.
2. Some kind of VPN (like openvpn)
3. Port Knocking:  http://www.portknocking.org/view/faq

2 and 3 can both be open from everywhere, and all 3 do not show as an
open ssh port from remote scans, which is what you want.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20120804/60ffe48f/attachment-0004.sig>