Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linode.com Related Forums » Sales Questions and Answers
  Previous topic | Next topic 
Author Message
thecgmguy
PostPosted: Sun Nov 08, 2009 5:20 pm 
Offline
Senior Newbie

Joined: Sun Nov 08, 2009 4:31 am
Posts: 15
Hi Guys,

Another quick question -- how are local firewall managed? iptables? The web interface?

Are fresh images blocked from the get go?

My concern is having a box spin up that's immediately susceptible to security threats.
Top
   
Reply with quote  
pclissold
 Post subject:
PostPosted: Sun Nov 08, 2009 6:31 pm 
Offline
Senior Member
User avatar

Joined: Fri Oct 24, 2003 3:51 pm
Posts: 965
Location: Netherlands
The firewall is your responsibility, using iptables.

_________________
/ Peter
Top
   
Reply with quote  
Vance
 Post subject:
PostPosted: Sun Nov 08, 2009 8:42 pm 
Offline
Senior Member
User avatar

Joined: Sun Jan 18, 2009 2:41 pm
Posts: 830
And my recollection is that the provided images don't run any services by default, hence nothing to attack. sshd might be an exception.
Top
   
Reply with quote  
BarkerJr
 Post subject:
PostPosted: Mon Nov 09, 2009 8:15 am 
Offline
Senior Member

Joined: Sun Aug 02, 2009 1:32 pm
Posts: 222
Website: https://www.barkerjr.net
Location: Connecticut, USA
Right, this isn't Windows. I just built a new node to check and I have two things running: ssh and dhcp. Don't worry about not having a firewall. These are recent distributions.
Top
   
Reply with quote  
thecgmguy
 Post subject:
PostPosted: Mon Nov 09, 2009 12:24 pm 
Offline
Senior Newbie

Joined: Sun Nov 08, 2009 4:31 am
Posts: 15
Vance wrote:
And my recollection is that the provided images don't run any services by default, hence nothing to attack. sshd might be an exception.


Thanks Vance, that's EXACTLY what I wanted to know. :D

-M
Top
   
Reply with quote  
freedom_is_chaos
 Post subject:
PostPosted: Mon Nov 09, 2009 1:21 pm 
Offline
Senior Member

Joined: Fri Sep 12, 2008 3:17 am
Posts: 166
Website: http://independentchaos.com
I use a mix of apf firewall and tcp wrappers to limit ports and IP addresses allowed to do whatever and what not.

I'm sure that I could really dig deep and setup a whole mess of iptables, but apf makes it easy and wrappers are all ready pretty easy.

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.
http://independentchaos.com
Top
   
Reply with quote  
mnordhoff
 Post subject:
PostPosted: Mon Nov 09, 2009 4:25 pm 
Offline
Senior Member

Joined: Sat May 03, 2008 4:01 pm
Posts: 568
Website: http://www.mattnordhoff.com/
You should lock down SSH as soon as you can (disable root logins and password auth, install DenyHosts/fail2ban/etc., move it to a different port, etc.) just to be safe, but there's little chance of your server getting broken into any time soon unless you have a really horrible root password.
Top
   
Reply with quote  
sleddog
 Post subject:
PostPosted: Mon Nov 09, 2009 8:16 pm 
Offline
Senior Member

Joined: Sun Aug 31, 2008 4:29 pm
Posts: 177
mnordhoff wrote:
You should lock down SSH as soon as you can (disable root logins and password auth, install DenyHosts/fail2ban/etc., move it to a different port, etc.) ...


For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.
Top
   
Reply with quote  
thecgmguy
 Post subject:
PostPosted: Mon Nov 09, 2009 11:14 pm 
Offline
Senior Newbie

Joined: Sun Nov 08, 2009 4:31 am
Posts: 15
sleddog wrote:
mnordhoff wrote:
You should lock down SSH as soon as you can (disable root logins and password auth, install DenyHosts/fail2ban/etc., move it to a different port, etc.) ...


For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.


Agreed. Personally, I'm also a fan of using public key authentication instead of standard passwords. Good to know there Lish in case of trouble. =D
Top
   
Reply with quote  
mnordhoff
 Post subject:
PostPosted: Tue Nov 10, 2009 12:10 am 
Offline
Senior Member

Joined: Sat May 03, 2008 4:01 pm
Posts: 568
Website: http://www.mattnordhoff.com/
sleddog wrote:
For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.


Whoops, forgot about that one. Good advice. :)
Top
   
Reply with quote  
freedom_is_chaos
 Post subject:
PostPosted: Fri Nov 13, 2009 10:26 am 
Offline
Senior Member

Joined: Fri Sep 12, 2008 3:17 am
Posts: 166
Website: http://independentchaos.com
PermitRootLogin without-password

:) best line in sshd_config there is.

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.

http://independentchaos.com
Top
   
Reply with quote  
mnordhoff
 Post subject:
PostPosted: Fri Nov 13, 2009 11:52 am 
Offline
Senior Member

Joined: Sat May 03, 2008 4:01 pm
Posts: 568
Website: http://www.mattnordhoff.com/
freedom_is_chaos wrote:
PermitRootLogin without-password

:) best line in sshd_config there is.


Only if you need it. Otherwise, "PermitRootLogin no".
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linode.com Related Forums » Sales Questions and Answers


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group