Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The Proftp server is set only to allow certain login user and from only certain IP addresses.
<Limit LOGIN>
Order Allow,Deny
Allow 104.235.22.123, 123.123.123.123, etc,
DenyAll
</Limit>
Question 1:
Is there a way to use xxx.noip.com, yyy.noip.com addressing vs. IP's?
Question 2:
If a NO on question 1 then how to I break the very long line of IP addresses into multiple lines.
I tried the usual backslash \ and no luck.
(What I am attempting is to create host look up and put only those IP addresses into the "Allow" line for all my clients. As is now that is going to be a nightmare.)
You could also program the iptables firewall to allow incoming connections to the port that proftpd is listening on only from specific IP addresses. I'm not sure, if you can get it to work on a dynamic dns service, but if you're paranoid you could try setting up a technique called port knocking.
I would also suggest to double up on this security with the /etc/hosts.deny /etc/hosts.deny capabilities. This way if an update allows one function to be exploited, it will have a second layer of security.
I would also suggest to double up on this security with the /etc/hosts.deny /etc/hosts.deny capabilities. This way if an update allows one function to be exploited, it will have a second layer of security.
Proper hardening should always consist of multiple layers but please don't present tcp_wrappers as a cure-all (note).
Proper hardening should always consist of multiple layers but please don't present tcp_wrappers as a cure-all (note).
Your correct, it is a bad habit by itself. I need to remember to state specifically that I have a preference to work with dynamic firewalls and tend to use hosts.deny for specific ports. Interesting though, did not know the part about the software requirements of libwrap.
Our new servers are going to use both ways. But if you could be so kind or someone else, what would be the IPTABLES rule to stop all but 2 single IP addresses on EHT0 from getting in.
What I tried stops both WAN ETH0 & LAN ETH1 side which is nice once in a while but not always.
You are getting a lot of different iptables information from a lot of different people, so I am guessing you might have a chained tables setup. Some people run a flat table which is easier to understand but very limited. For more advanced tables they run a chained tables to which I am not the most suited person to answer your question. I would though suggest to read up specifically on chained tables.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.