[Box-Admins] The story from the log files
Levente Uzonyi
leves at elte.hu
Fri Oct 26 21:06:36 UTC 2012
On Fri, 26 Oct 2012, Chris Cunnington wrote:
> On 2012-10-26 4:43 PM, Levente Uzonyi wrote:
>> On Thu, 25 Oct 2012, Chris Cunnington wrote:
>>
>>> On 2012-10-25 12:50 PM, Levente Uzonyi wrote:
>>> Yes. I would like to see that, please.
>>>
>>> Chris
>>>
>>
>> I uploaded the firewall script to http://leves.web.elte.hu/squeak/firewall
>> . This basic version keeps port 22 and 80 open and drops all packets
>> arriving to other ports. If you want something different, then you have to
>> change the rules() function. When the file is copied to /etc/init.d , then
>>
>> $ /etc/init.d/firewall start
>>
>> will "start" the firewall. If you want to start it whenever the server is
>> restarting, then just do
>>
>> $ /etc/init.d/firewall install
>>
>> I'd suggest commenting out the line
>>
>> iptables -A INPUT -j DROP
>>
>> the first time, so you won't lose the connection to the server if anything
>> goes wrong. :)
>>
>>
>> Levente
> This looks cool. I'll start to read it over. If it closes all the ports
> except 22 and 80, then I'm going to need to learn to add lines for RFB and
> the Altitude image:
>
> iptables -A INPUT -p tcp --dport 5900 -j ACCEPT #vnc
>
>
> Thanks for making this available.
You shouldn't open any ports for VNC (especially not the default 5900),
but tunnel it through SSH instead, because the VNC connection is not
encrypted[1]. If someone gets your password, then he gains full access to
the site and some access to the box too. By default the Squeak RFB server
disallows non-local connections in order to avoid this issue.
Levente
[1] http://en.wikipedia.org/wiki/Virtual_Network_Computing#Security
>
> Chris
>
More information about the Box-Admins
mailing list