Keith,

Not really answering any of your questions, but thought it might be worth mentioning anyway. When playing with iptables rules, if you need to add allow rules before your catch-all drop rule, you should use the --insert (-I) syntax instead of --append (-A). For example, if your DROP all rule is on line 10, then you need to ensure that any rules you add are numbered 10 or lower:

sudo iptables -I INPUT 10 -p tcp --dport 80 -j ACCEPT

This will then push the DROP rule to line 11, so the next iptables rule would need to do -I INPUT 11, and so forth.

The other way to work with firewalls remotely without locking yourself out (permanently), is to script everything, and then use cron or "at" to back out your changes in 5 minutes. That way, if you make a boo boo on your firewall config, your firewall will be restored to a known good state in 5 minutes; if your changes work as expected, you've got enough time to cancel the back-out strategy.

Personally, I always load my firewall rules from script on boot, as I've had problems with iptables-save and iptables-restore in the past (more specifically, I've had problems with these processes running automatically as the service stops and starts, and so have lost firewall configurations in the past).

AFAIK, SFTP only requires TCP + UDP port 115 (as per /etc/services) - it doesn't need additional data ports opened like regular FTP.

Regarding your private key - this should be protected with a password, so keeping it on a USB pen drive seems a tad over the top, as long as your password is strong! Obviously if you're protecting *really* sensitive data on your VPS, then it might be a sensible move, but in general it sounds like overkill. Each user can be configured separately to expect/accept different keys, so the configuration is stored in ~/.ssh/authorized_keys, with the layout being:

ssh-rsa <key> Joe Bloggs

You will need to edit the sshd configuration file if you want to restrict (e.g. root) logins to key only. To do this, you'll want to change the line that  reads "PermitRootLogin yes" to "PermitRootLogin without-password", and then restart the sshd service.

Hopefully that'll get you going.

Paul

On 10/04/2010 23:13, Keith Williams wrote:
Thank you for that, I found the firewall section very useful. I am new here, having come from managed servers where all that was done for me, the only time, before, that I had fiddled with iptables, I managed to lock myself out oompletely! I need a little bit of advice. I have followed those instructions and locked out all ipv6 and all ports except ssh. I now want to open up port 80 for apache. I assume I just copy and edit the line from the guide to read:
 
sudo iptables --append INPUT -p tcp --dport 80 -j ACCEPT
 
and then add that (obviously before the drop rule!). Uploading the site files will be done through sftp, and that port is opened. What other ports should I open? It is only going to be straight http not https and no mailserver etc.
 
And if I may, one more question. I want to use public/private key login. I read a really interesting article recently about using this with the private key kept on a usb key for added security on a machine that others may use. OTT for me, but do I edit the conf file for openssh to add the public key or can I do it in the control panel (security tab). i know I could submit a ticket to ask for it to be done, but would rather do everything myself (that's how you learn)
 
Then it's just down to configuring apache and mysql, but I am a lot more competant and confident about them
 
Thanks in advance
 
Keith Williams


--
Keith

The most dangerous strategy is to jump a chasm in two leaps.

www.westnorfolkrspca.org.uk

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users