| 4:49 pm on Oct 13, 2006 (gmt 0)|
Hi, I got a brand new root server about 3 months ago but Ive not used it much at all. I SFTPed a few files over to check it worked and it WAS fine. I was and still am a total noob. at some point between then and now I saw the firewall icon in my control panel, got really excite and pressed it. I donít think I checked it straight away but its seems that since that little eureka moment I havenít been able to FTP anything either FTP or SFTP. I phoned 1and1 and asked them to see what has happened and they said port 21 is being blocked by the firewall. I guess port 22 is being blocked as well as I cant FTP either.
1) what should I do to unblock both ports, but allow access to only 1 remote IP address. Ive seen some examples on the internet like this...
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 21 -j ACCEPT
If this doesnít work. what else can I try, bearing in mind that when I look at the IPTables rules through 1and1 control panel (not plesk), it says that port 21 is accepting everything for anyone and port 22 isnít listed.?
Hope Iíve made sense, thanks.
| 5:27 pm on Oct 13, 2006 (gmt 0)|
port 22 is ssh, but i guess that's what you meant.
i've just done this myself recently using ssh, i imstalled shorewall which i used to configure iptables, i struggled for a bit but it turned out to be quite simple, there are comprehensive configuration tutorials on the shorewall site, if you are a stand alone server with the firewall on the server you only need one zone: net (the internet)
i know this isn't what you asked but it could be another route for you if you remain stuck
| 6:27 pm on Oct 13, 2006 (gmt 0)|
Thanks topr8, i will have a go with what you suggested. But first I will turn the fire wall of to see if that makes a difference becaues Im sure after turning it on I was unable to use SFTP. Some people say that you dont need a fire wall if you "lock things down". Whats your opinion on this?
| 7:58 pm on Oct 13, 2006 (gmt 0)|
If you are running FTP, you are defeating the purpose of using SSH/SFTP. Shut it down!
I'd recommend moving SSH to a different port, in any case, if for no other reason than to de-clutter your log file. By moving SSH to a different port, you will eliminate 99% of SSH attempts, which are primarily script-kiddies.
Remember that if you do move SSH to a different port (edit /etc/ssh/ssh_config and/or ~/.ssh/config) you need to configure your SSH client(s) to use the alternate port.
It's useful to disable password login through SSH. Use keys instead.
If you do not have a firewall, make sure to configure MySQL to bind only to localhost! If you want to use remote MySQL management tools, you can tunnel through SSH.
A firewall is still useful, even if everything is "locked down". (Define "locked down"...) You can run scripts that will detect certain intrusion attempts, and dynamically alter firewall rules to block the suspected intruder(s). A firewall can also be useful for blocking unwanted search-engine crawlers without imposing any load on your webserver.