Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
cdr:vms:web-server [2017/03/24 05:44] jamesdro [Firewall Rules] |
cdr:vms:web-server [2017/05/06 04:29] jamesdro [Access Control] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== ubnetdef ====== | + | ====== Web Server ====== |
Our front-facing public webserver. You're literally connected to this server right now, as you're on our wiki. | Our front-facing public webserver. You're literally connected to this server right now, as you're on our wiki. | ||
===== Host Information ===== | ===== Host Information ===== | ||
* IP: 128.205.44.157 | * IP: 128.205.44.157 | ||
+ | * IP: 192.168.0.21 ([Red Team Network](/cdr/networks/blue_red)) | ||
* Reverse DNS: net-def.cse.buffalo.edu | * Reverse DNS: net-def.cse.buffalo.edu | ||
- | * vCenter Cluster: UBNetDef / LEGACY | + | * vCenter Cluster: MAIN |
- | * vCenter Datastore: [cdr-iscsi2](/cdr/servers/cdr-iscsi2) | + | * vCenter Datastore: [cdr-iscsi1](/cdr/servers/cdr-iscsi1) |
===== Access Control ===== | ===== Access Control ===== | ||
- | Accounts on this machine is manually controlled. | + | Access to this server is controlled via our [central authentication server](master). |
===== Firewall Rules ===== | ===== Firewall Rules ===== | ||
Line 15: | Line 16: | ||
<file conf /etc/iptables/rules.v4> | <file conf /etc/iptables/rules.v4> | ||
- | # Generated by iptables-save v1.4.21 on Fri Mar 24 01:42:15 2017 | + | # Generated by iptables-save v1.4.21 on Fri Mar 24 01:42:12 2017 |
*filter | *filter | ||
:INPUT DROP [1:36] | :INPUT DROP [1:36] | ||
:FORWARD ACCEPT [0:0] | :FORWARD ACCEPT [0:0] | ||
:OUTPUT DROP [1:84] | :OUTPUT DROP [1:84] | ||
- | :fail2ban-ssh - [0:0] | + | -A INPUT -i lo -j ACCEPT |
- | -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh | + | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT |
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 123 -j ACCEPT | ||
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | -A OUTPUT -o lo -j ACCEPT | ||
+ | -A OUTPUT -p tcp -m tcp -d 128.205.32.55 --dport 25 -j ACCEPT | ||
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT | -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT | ||
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT | -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT | ||
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT | -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT | ||
+ | -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT | ||
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT | -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT | ||
+ | -A OUTPUT -d 128.205.44.172/32 -p udp -m udp --dport 1514 -j ACCEPT | ||
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
- | -A fail2ban-ssh -j RETURN | ||
COMMIT | COMMIT | ||
- | # Completed on Fri Mar 24 01:42:15 2017 | + | # Completed on Fri Mar 24 01:42:12 2017 |
</file> | </file> | ||
===== Notes ===== | ===== Notes ===== | ||
[fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page) is installed, protecting against SSH bruteforce attacks. Don't mess up a login multiple times, as your IP will be banned. | [fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page) is installed, protecting against SSH bruteforce attacks. Don't mess up a login multiple times, as your IP will be banned. |