From: "James A. Pattie" <james@pcxperience.com>
To: Mark Seamans <marks@crvinc.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Core Linux Router - NO NAT
Date: Fri, 21 Mar 2003 09:19:38 -0600 [thread overview]
Message-ID: <3E7B2D8A.8010705@pcxperience.com> (raw)
In-Reply-To: <200303201723.50161.marks@crvinc.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Seamans wrote:
> I have a Linux router that consists of 4 T1ports and 1 ethernet.
> This "Router" will act as an ISP core router doing Routing Only!
> I wish to protect the box itself, while it preforms it's duties as a
Router
> allowing only ssh from the ip's that I wish for management. This way
I can
> also setup rules to protect it form DOS attacks etc...
> Now I have been thinking of this, but I can go two ways:
> 1. Making it harder than it really is -OR-
> 2. Allowing it to be so easy it is not secure.
>
> So any suggestions would be great.
Newer versions of ssh will honor the hosts.allow and hosts.deny files,
so you might want to make sure that hosts.allow only lets sshd
connections from the IP's you are interested in. Just make sure you do
a ALL : ALL in hosts.deny so that no other services can get to the box
that you haven't allowed in hosts.allow.
Note: there are services that don't use the hosts.allow/deny files
(apache for example) so you need to make sure you don't have anything
uneeded running.
You could do this without needing to setup firewall rules, but then it
becomes harder to limit DOS attacks, etc.
- --
James A. Pattie
james@pcxperience.com
Linux -- SysAdmin / Programmer
Xperience, Inc.
http://www.pcxperience.com/
http://www.xperienceinc.com/
GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+ey2KtUXjwPIRLVERAiQAAJ9QL0671K+msi/BdVwL+pS2UmQXRACg2w28
MJVVHt8CEYPu1h3boVkvjpI=
=RgM/
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
prev parent reply other threads:[~2003-03-21 15:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-20 23:23 Core Linux Router - NO NAT Mark Seamans
2003-03-21 6:41 ` Joel Newkirk
2003-03-21 11:16 ` Mark Seamans
2003-03-21 15:23 ` Kelly Setzer
2003-03-21 15:19 ` James A. Pattie [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E7B2D8A.8010705@pcxperience.com \
--to=james@pcxperience.com \
--cc=marks@crvinc.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox