Local Firewall Management
Another quick question – how are local firewall managed? iptables? The web interface?
Are fresh images blocked from the get go?
My concern is having a box spin up that's immediately susceptible to security threats.
11 Replies
@Vance:
And my recollection is that the provided images don't run any services by default, hence nothing to attack. sshd might be an exception.
Thanks Vance, that's EXACTLY what I wanted to know.
-M
I'm sure that I could really dig deep and setup a whole mess of iptables, but apf makes it easy and wrappers are all ready pretty easy.
@mnordhoff:
You should lock down SSH as soon as you can (disable root logins and password auth, install DenyHosts/fail2ban/etc., move it to a different port, etc.) …
For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.
@sleddog:
@mnordhoff:You should lock down SSH as soon as you can (disable root logins and password auth, install DenyHosts/fail2ban/etc., move it to a different port, etc.) …
For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.
Agreed. Personally, I'm also a fan of using public key authentication instead of standard passwords. Good to know there Lish in case of trouble. =D
@sleddog:
For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.
Whoops, forgot about that one. Good advice.
@freedomischaos:
PermitRootLogin without-password
:) best line in sshd_config there is.
Only if you need it. Otherwise, "PermitRootLogin no".