| Linode Forum https://forum.linode.com/ |
|
| Multiple IP addresses https://forum.linode.com/viewtopic.php?f=19&t=6614 |
Page 1 of 2 |
| Author: | dmwilliams [ Wed Jan 26, 2011 11:48 am ] |
| Post subject: | Multiple IP addresses |
I read this http://library.linode.com/networking/configuring-static-ip-interfaces/ and set up two IP addresses on my linode. But now what? is it possible to set up firewall rules based on incoming IP address? is it possible to dedicate a service to an ip? so if you port scanned one IP only certain ports would appear open?[/url] |
|
| Author: | Mr Nod [ Wed Jan 26, 2011 12:05 pm ] |
| Post subject: | |
Yes you can set a service to run on a particular IP - apache, mysql and SSH all spring to mind. Check their config files to set which IP they listen on. As you mention firewall you could do port-forwarding from 1 ip address to another, but I'd personally configure the service to run on a certain IP address instead as mentioned above. |
|
| Author: | mnordhoff [ Thu Jan 27, 2011 4:33 am ] |
| Post subject: | |
Yes, iptables supports IP-specific firewall rules. It's possible some frontends don't, but most do. As for your application question, most do support binding to specific IPs. Check the configuration documentation. Some software doesn't have that feature, of course, in which case it would probably be easiest to let it listen on whatever it wants to but firewall off the other IPs, knowing that the service would be accessible on the other IP if something happened to your firewall. Why do you care about running different services on different IPs, though? |
|
| Author: | dmwilliams [ Wed Feb 16, 2011 4:00 pm ] |
| Post subject: | |
The reason I am interested in this is because having a webserver opens you up to a ton of break in attempts daily. It would be great if I could have a special IP that only appeared to have a webserver running, and another IP for everything else such as ssh, etc. does anybody know if it can be done with UFW, or a good document on how to do it with iptables? i am missing some of the search vocabulary to locate the document myself. |
|
| Author: | pparadis [ Wed Feb 16, 2011 4:09 pm ] |
| Post subject: | This does not resolve the real problem. |
Being on the Internet opens a server up to compromise attempts. Botnets routinely perform service scans against very large IP ranges, which costs the controllers nothing (since they aren't paying for the resources anyhow). If you're concerned about such attempts, you may wish to investigate using SSH keys and disabling password access, or using something like DenyHosts or fail2ban. |
|
| Author: | vonskippy [ Wed Feb 16, 2011 5:29 pm ] |
| Post subject: | |
1, 2, or 20 IP's it's still the SAME box. Don't waste public IP's on something as useless as "security thru obscurity". |
|
| Author: | akerl [ Wed Feb 16, 2011 11:06 pm ] |
| Post subject: | |
vonskippy wrote: 1, 2, or 20 IP's it's still the SAME box.
Don't waste public IP's on something as useless as "security thru obscurity". While I do agree that by itself, splitting services like this is a "security thru obscurity" argument, it does have a certain merit if used as described above. Assume my box has 2 IPs. I setup my web server on one IP, setup DNS to point all my domains at that IP. Then, I limit my ssh server to only listen on the other IP. The SSH server is still locked down to only allow key-based auth, not allow root login, etc etc. With a setup like that, you are just as vulnerable to the random IP sweeping, but your vulnerability to those sweeps, since your ssh is key only, and you keep your web server up to date, is pretty close to zero. The benefit to splitting the services is that Mr. Angry Hacker, having been offended by your inflammatory blog posts, has almost zero chance at discovering your second IP, cutting in half the number of services he can attempt to exploit as a method of harming your box. |
|
| Author: | obs [ Wed Feb 16, 2011 11:36 pm ] |
| Post subject: | |
Or you could just ensure you have a static ip and use iptables to block ssh connections from all but that ip. |
|
| Author: | akerl [ Wed Feb 16, 2011 11:47 pm ] |
| Post subject: | |
Except I admin my server from my house, and from my netbook or phone on the go. |
|
| Author: | vonskippy [ Thu Feb 17, 2011 12:21 am ] |
| Post subject: | |
Drop all external SSH access and use a VPN. Lets see the mean old hacker bypass that. |
|
| Author: | carmp3fan [ Thu Feb 17, 2011 10:26 am ] |
| Post subject: | |
I have a separate Linode for remote access. Allows SSH access on port 443 (to bypass firewalls) with port tunneling directed to a local instance of Squid. All my servers have SSH bound to the private 192 address and the firewall blocks access that isn't from my remote access server. Then I tell PuTTy to use a proxy and SSH to the private address. I remove the extra service from the public IP and can still access my server from anywhere. |
|
| Author: | jzimmerlin [ Thu Feb 17, 2011 8:46 pm ] |
| Post subject: | |
Forgive me if I'm wrong, but if you're using key-based authentication, aren't the chances of someone hacking into your Linode via SSH extremely low? |
|
| Author: | Stever [ Thu Feb 17, 2011 8:52 pm ] |
| Post subject: | |
jzimmerlin wrote: Forgive me if I'm wrong, but if you're using key-based authentication, aren't the chances of someone hacking into your Linode via SSH extremely low?
+1 I'd be a lot more worried about the bad guys hacking a webserver than a decently-configured sshd. Wasting a second IP for this is silly at best. |
|
| Author: | hybinet [ Thu Feb 17, 2011 9:20 pm ] |
| Post subject: | |
dmwilliams wrote: does anybody know if it can be done with UFW, or a good document on how to do it with iptables? i am missing some of the search vocabulary to locate the document myself.
It's always a good idea to configure your services so that they only listen on the IP address they're supposed to listen on in the first place, rather than having them listen on all IPs and using a firewall to block them. If you want to use Ubuntu's UFW (which is one of the easiest firewall tools out there), just apt-get install it and run the following commands: Code: sudo ufw allow from any to 12.34.56.78 port 22 The first line allows SSH on 12.34.56.78. The next two lines allow HTTP and HTTPS on 98.76.54.32. The fourth line disallows everything else, and the fifth line activates the firewall. Change to fit your needs. If you accidentally lock yourself out, go to Lish and try again. |
|
| Author: | dmwilliams [ Sun Feb 20, 2011 1:11 am ] |
| Post subject: | |
I am not using public private key authentication, I must just use regular passwords. I host a subversion server via svn+ssh:// and it is very difficult to configure the subversion clients to use the keys. Right now I am filtering IP addresses. And I just got the multiple IP address thing working by binding IP addresses within the config of each service. It works pretty well. Its really cool, now somebody can't ping my domain and look at the IP address, then try and tamper with my ssh because they don't like my website. I'll be monitoring the number of ssh brute force attempts and see how much less it is then before. |
|
| Page 1 of 2 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|