11 Apr
2010
11 Apr
'10
12:08 a.m.
Keith,
Not really answering any of your questions, but thought it might be
worth mentioning anyway. When playing with iptables rules, if you need
to add allow rules before your catch-all drop rule, you should use the
--insert (-I) syntax instead of --append (-A). For example, if your DROP
all rule is on line 10, then you need to ensure that any rules you add
are numbered 10 or lower:
sudo iptables -I INPUT 10 -p tcp --dport 80 -j ACCEPT
This will then push the DROP rule to line 11, so the next iptables rule
would need to do -I INPUT 11, and so forth.
The other way to work with firewalls remotely without locking yourself
out (permanently), is to script everything, and then use cron or "at" to
back out your changes in 5 minutes. That way, if you make a boo boo on
your firewall config, your firewall will be restored to a known good
state in 5 minutes; if your changes work as expected, you've got enough
time to cancel the back-out strategy.
Personally, I always load my firewall rules from script on boot, as I've
had problems with iptables-save and iptables-restore in the past (more
specifically, I've had problems with these processes running
automatically as the service stops and starts, and so have lost firewall
configurations in the past).
AFAIK, SFTP only requires TCP + UDP port 115 (as per /etc/services) - it
doesn't need additional data ports opened like regular FTP.
Regarding your private key - this should be protected with a password,
so keeping it on a USB pen drive seems a tad over the top, as long as
your password is strong! Obviously if you're protecting *really*
sensitive data on your VPS, then it might be a sensible move, but in
general it sounds like overkill. Each user can be configured separately
to expect/accept different keys, so the configuration is stored in
~/.ssh/authorized_keys, with the layout being:
ssh-rsa <key> Joe Bloggs
You will need to edit the sshd configuration file if you want to
restrict (e.g. root) logins to key only. To do this, you'll want to
change the line that reads "PermitRootLogin yes" to "PermitRootLogin
without-password", and then restart the sshd service.
Hopefully that'll get you going.
Paul
On 10/04/2010 23:13, Keith Williams wrote:
Thank you for that, I found the firewall section very
useful. I am new
here, having come from managed servers where all that was done for me,
the only time, before, that I had fiddled with iptables, I managed to
lock myself out oompletely! I need a little bit of advice. I have
followed those instructions and locked out all ipv6 and all ports
except ssh. I now want to open up port 80 for apache. I assume I just
copy and edit the line from the guide to read:
/_sudo iptables --append INPUT -p tcp --dport 80 -j ACCEPT_/
//
and then add that (obviously before the drop rule!). Uploading the
site files will be done through sftp, and that port is opened. What
other ports should I open? It is only going to be straight http not
https and no mailserver etc.
And if I may, one more question. I want to use public/private key
login. I read a really interesting article recently about using this
with the private key kept on a usb key for added security on a machine
that others may use. OTT for me, but do I edit the conf file for
openssh to add the public key or can I do it in the control panel
(security tab). i know I could submit a ticket to ask for it to be
done, but would rather do everything myself (that's how you learn)
Then it's just down to configuring apache and mysql, but I am a lot
more competant and confident about them
Thanks in advance
Keith Williams
--
Keith
The most dangerous strategy is to jump a chasm in two leaps.
www.westnorfolkrspca.org.uk <http://www.westnorfolkrspca.org.uk>
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users