homepage Welcome to WebmasterWorld Guest from 54.145.183.126
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Sftp
SFTP, iptables,firewall
enterprise

5+ Year Member



 
Msg#: 3120035 posted 4:49 pm on Oct 13, 2006 (gmt 0)

Hi, I got a brand new root server about 3 months ago but Ive not used it much at all. I SFTPed a few files over to check it worked and it WAS fine. I was and still am a total noob. at some point between then and now I saw the firewall icon in my control panel, got really excite and pressed it. I donít think I checked it straight away but its seems that since that little eureka moment I havenít been able to FTP anything either FTP or SFTP. I phoned 1and1 and asked them to see what has happened and they said port 21 is being blocked by the firewall. I guess port 22 is being blocked as well as I cant FTP either.


1) what should I do to unblock both ports, but allow access to only 1 remote IP address. Ive seen some examples on the internet like this...
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 21 -j ACCEPT

If this doesnít work. what else can I try, bearing in mind that when I look at the IPTables rules through 1and1 control panel (not plesk), it says that port 21 is accepting everything for anyone and port 22 isnít listed.?

Hope Iíve made sense, thanks.
Graham

 

topr8

WebmasterWorld Senior Member topr8 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3120035 posted 5:27 pm on Oct 13, 2006 (gmt 0)

port 22 is ssh, but i guess that's what you meant.

i've just done this myself recently using ssh, i imstalled shorewall which i used to configure iptables, i struggled for a bit but it turned out to be quite simple, there are comprehensive configuration tutorials on the shorewall site, if you are a stand alone server with the firewall on the server you only need one zone: net (the internet)

i know this isn't what you asked but it could be another route for you if you remain stuck

enterprise

5+ Year Member



 
Msg#: 3120035 posted 6:27 pm on Oct 13, 2006 (gmt 0)

Thanks topr8, i will have a go with what you suggested. But first I will turn the fire wall of to see if that makes a difference becaues Im sure after turning it on I was unable to use SFTP. Some people say that you dont need a fire wall if you "lock things down". Whats your opinion on this?

Cheers, Graham

jtara

WebmasterWorld Senior Member jtara us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3120035 posted 7:58 pm on Oct 13, 2006 (gmt 0)

If you are running FTP, you are defeating the purpose of using SSH/SFTP. Shut it down!

I'd recommend moving SSH to a different port, in any case, if for no other reason than to de-clutter your log file. By moving SSH to a different port, you will eliminate 99% of SSH attempts, which are primarily script-kiddies.

Remember that if you do move SSH to a different port (edit /etc/ssh/ssh_config and/or ~/.ssh/config) you need to configure your SSH client(s) to use the alternate port.

It's useful to disable password login through SSH. Use keys instead.

If you do not have a firewall, make sure to configure MySQL to bind only to localhost! If you want to use remote MySQL management tools, you can tunnel through SSH.

A firewall is still useful, even if everything is "locked down". (Define "locked down"...) You can run scripts that will detect certain intrusion attempts, and dynamically alter firewall rules to block the suspected intruder(s). A firewall can also be useful for blocking unwanted search-engine crawlers without imposing any load on your webserver.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved