Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
cdr:vms:web-server [2017/04/26 15:05] jamesdro ↷ Page name changed from cdr:vms:ubnetdef to cdr:vms:web-server |
cdr:vms:web-server [2018/03/12 06:54] jamesdro Updating firewall rules |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== ubnetdef ====== | + | ====== Web Server ====== |
Our front-facing public webserver. You're literally connected to this server right now, as you're on our wiki. | Our front-facing public webserver. You're literally connected to this server right now, as you're on our wiki. | ||
Line 10: | Line 10: | ||
===== Access Control ===== | ===== Access Control ===== | ||
- | Accounts on this machine is manually controlled. | + | Access to this server is controlled via our [central authentication server](master). |
===== Firewall Rules ===== | ===== Firewall Rules ===== | ||
Line 16: | Line 16: | ||
<file conf /etc/iptables/rules.v4> | <file conf /etc/iptables/rules.v4> | ||
- | # Generated by iptables-save v1.4.21 on Fri Mar 24 01:42:12 2017 | + | # Generated by iptables-save v1.4.21 on Mon Feb 19 17:37:45 2018 |
*filter | *filter | ||
- | :INPUT DROP [1:36] | + | :INPUT DROP [15:1067] |
:FORWARD ACCEPT [0:0] | :FORWARD ACCEPT [0:0] | ||
- | :OUTPUT DROP [1:84] | + | :OUTPUT DROP [0:0] |
+ | :fail2ban-ssh - [0:0] | ||
+ | -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh | ||
-A INPUT -i lo -j ACCEPT | -A INPUT -i lo -j ACCEPT | ||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
Line 28: | Line 30: | ||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
-A OUTPUT -o lo -j ACCEPT | -A OUTPUT -o lo -j ACCEPT | ||
- | -A OUTPUT -p tcp -m tcp -d 128.205.32.55 --dport 25 -j ACCEPT | + | -A OUTPUT -d 128.205.32.55/32 -p tcp -m tcp --dport 25 -j ACCEPT |
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT | -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT | ||
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT | -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT | ||
Line 34: | Line 36: | ||
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT | -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT | ||
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT | -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT | ||
+ | -A OUTPUT -d 192.168.0.50/32 -j ACCEPT | ||
-A OUTPUT -d 128.205.44.172/32 -p udp -m udp --dport 1514 -j ACCEPT | -A OUTPUT -d 128.205.44.172/32 -p udp -m udp --dport 1514 -j ACCEPT | ||
+ | -A OUTPUT -d 128.205.44.172/32 -p tcp -m tcp --dport 80 -j ACCEPT | ||
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | -A OUTPUT -d 192.168.15.200/32 -p tcp -m tcp --dport 8080 -j ACCEPT | ||
+ | -A OUTPUT -d 192.168.13.138/32 -p tcp -m tcp --dport 22 -j ACCEPT | ||
+ | -A fail2ban-ssh -j RETURN | ||
COMMIT | COMMIT | ||
- | # Completed on Fri Mar 24 01:42:12 2017 | + | # Completed on Mon Feb 19 17:37:45 2018 |
</file> | </file> | ||
===== Notes ===== | ===== Notes ===== | ||
[fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page) is installed, protecting against SSH bruteforce attacks. Don't mess up a login multiple times, as your IP will be banned. | [fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page) is installed, protecting against SSH bruteforce attacks. Don't mess up a login multiple times, as your IP will be banned. |