| Linode Forum https://forum.linode.com/ |
|
| New linux user, is this setup secure? https://forum.linode.com/viewtopic.php?f=19&t=6669 |
Page 1 of 1 |
| Author: | ulf.lundh [ Mon Feb 07, 2011 6:03 am ] |
| Post subject: | New linux user, is this setup secure? |
First post from a semi-new linux user. I use Ubuntu at work but only for desktop use so im not very experienced with ubuntu server. Im interested in your views on my setup; Ubuntu 10.04 LTS pptp vpn connect which gives a 192.168.X.*-* address ufw firewall default deny ssh default port allow from anywhere (root login disabled, denyhosts running) pptp default port allowed from anywhere ftp default port only allow from 192.168.X.* phpmyadmin default folder only allowed from 192.168.X.* webmin default port only allowed from 192.168.X.* whitelist on manager.linode.com Wordpress installation with SSL on admin login. I use VPN to connect to ftp, phpmyadmin and webmin/virtualmin Any other things i should think about? Thanks . |
|
| Author: | obs [ Mon Feb 07, 2011 10:15 am ] |
| Post subject: | |
You may want to change the vpn ip addresses to one of the other private net blocks, linode uses the 192.168 range for their private network, you may find clashes should you ever choose to use it. I hope your ssh is restricted to public keys not password authentication, having it open to anyone on the default port means you're going to experience brute force attempts. Do you really need ftp? can't use you sftp (transferring files over ssh), one less bit of software to worry about. Do you also need phpmyadmin? I find http://wb.mysql.com/ is a better alternative. |
|
| Author: | ulf.lundh [ Mon Feb 07, 2011 2:03 pm ] |
| Post subject: | |
thank you for your reply, i have now changed to private ip 10.0.X.* i also moved ssh port to non-default. Will generate keys and disable password login. About sftp, is that the same as scp? would i connect to my ssh port with my scp/sftp program? Will look into your phpmyadmin alternative. I really appreciate your input 
|
|
| Author: | vonskippy [ Mon Feb 07, 2011 2:24 pm ] |
| Post subject: | |
Technically, PPTP VPN is a compromised protocol (and has been for many many years), and only MS still considers it fit to use in VPNs. |
|
| Author: | obs [ Mon Feb 07, 2011 2:30 pm ] |
| Post subject: | |
Try http://library.linode.com/networking/openvpn/ for vpn scp/sftp use the same ssh protocol, yes you would connect to your ssh port with the same credentials you use for ssh. If you're on a mac then cybderduck is a good sftp client, on windows winscp is good, linux just check your repositories. |
|
| Author: | ulf.lundh [ Mon Feb 07, 2011 4:12 pm ] |
| Post subject: | |
i disabled ftp and use sftp using Transmit on my mac, works great! Will try to upgrade to l2tp from pptp, seems tricky though. |
|
| Author: | ulf.lundh [ Tue Feb 08, 2011 3:51 am ] |
| Post subject: | |
obs wrote: You may want to change the vpn ip addresses to one of the other private net blocks, linode uses the 192.168 range for their private network, you may find clashes should you ever choose to use it.
I hope your ssh is restricted to public keys not password authentication, having it open to anyone on the default port means you're going to experience brute force attempts. Do you really need ftp? can't use you sftp (transferring files over ssh), one less bit of software to worry about. Do you also need phpmyadmin? I find http://wb.mysql.com/ is a better alternative. Wouldnt i have to open up mysql port to use your suggested app? Wouldnt that be more unsafe than using a protected phpmyadmin directory? Im not really using phpmyadmin much except for when importing / exporting databases. Another problem i have now, i have disabled ftp service on my server and "used ufw deny 21" to close ftp port. When running nmap on another computer to my domain name the port still lists as open. How is this possible? Code: PORT STATE SERVICE |
|
| Author: | JshWright [ Tue Feb 08, 2011 10:58 am ] |
| Post subject: | |
Do you still have an "allow" rule for port 21? The first rule that matches is applied, so you may need to delete a conflicting rule to actually close the port. |
|
| Author: | obs [ Tue Feb 08, 2011 2:01 pm ] |
| Post subject: | |
No you don't have to open up mysql to use mysql workbench, you can use a ssh tunnel (which is what I do) all mysql needs to do is listen on 127.0.0.1 which is the default anyway. Try checking nmap on another machine, if I use nmap on any IP it always say port 21 is open, something weird to do with my ISP (I imagine they filter incoming ftp traffic). Maybe your isp does the same. If you pop on irc someone there could scan for you. |
|
| Author: | jzimmerlin [ Tue Feb 08, 2011 5:56 pm ] |
| Post subject: | |
You might find this helpful: viewtopic.php?t=6564&highlight= |
|
| Author: | ulf.lundh [ Wed Feb 09, 2011 5:29 am ] |
| Post subject: | |
JshWright wrote: Do you still have an "allow" rule for port 21? The first rule that matches is applied, so you may need to delete a conflicting rule to actually close the port.
No, i have no allow rule for 21. Its weird though. When running nmap from certain networks to my linode it does not show port 21 as open which makes me believe obs is wright in that some ISP is to blame. i cant connect to 21 (even when i have proftpd started at 21). I guess i can drop my concern about this. Thanks a bunch for all your great replies! |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|