Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
cdr:vms:web-server [2017/03/23 08:21] jamesdro created |
cdr:vms:web-server [2018/03/12 06:54] (current) jamesdro Updating firewall rules |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== ubnetdef ====== | + | ====== Web Server ====== |
| Our front-facing public webserver. You're literally connected to this server right now, as you're on our wiki. | Our front-facing public webserver. You're literally connected to this server right now, as you're on our wiki. | ||
| ===== Host Information ===== | ===== Host Information ===== | ||
| * IP: 128.205.44.157 | * IP: 128.205.44.157 | ||
| + | * IP: 192.168.0.21 ([Red Team Network](/cdr/networks/blue_red)) | ||
| + | * Reverse DNS: net-def.cse.buffalo.edu | ||
| + | * vCenter Cluster: MAIN | ||
| + | * vCenter Datastore: [cdr-iscsi1](/cdr/servers/cdr-iscsi1) | ||
| + | |||
| + | ===== Access Control ===== | ||
| + | Access to this server is controlled via our [central authentication server](master). | ||
| + | |||
| + | ===== Firewall Rules ===== | ||
| + | As this machine is dual-homed, we have additional firewall rules on it. Below is the (saved) IPTables rules. | ||
| + | |||
| + | <file conf /etc/iptables/rules.v4> | ||
| + | # Generated by iptables-save v1.4.21 on Mon Feb 19 17:37:45 2018 | ||
| + | *filter | ||
| + | :INPUT DROP [15:1067] | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | :OUTPUT DROP [0:0] | ||
| + | :fail2ban-ssh - [0:0] | ||
| + | -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh | ||
| + | -A INPUT -i lo -j ACCEPT | ||
| + | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
| + | -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | ||
| + | -A INPUT -p udp -m udp --dport 123 -j ACCEPT | ||
| + | -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | ||
| + | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| + | -A OUTPUT -o lo -j ACCEPT | ||
| + | -A OUTPUT -d 128.205.32.55/32 -p tcp -m tcp --dport 25 -j ACCEPT | ||
| + | -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT | ||
| + | -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT | ||
| + | -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT | ||
| + | -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT | ||
| + | -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT | ||
| + | -A OUTPUT -d 192.168.0.50/32 -j ACCEPT | ||
| + | -A OUTPUT -d 128.205.44.172/32 -p udp -m udp --dport 1514 -j ACCEPT | ||
| + | -A OUTPUT -d 128.205.44.172/32 -p tcp -m tcp --dport 80 -j ACCEPT | ||
| + | -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| + | -A OUTPUT -d 192.168.15.200/32 -p tcp -m tcp --dport 8080 -j ACCEPT | ||
| + | -A OUTPUT -d 192.168.13.138/32 -p tcp -m tcp --dport 22 -j ACCEPT | ||
| + | -A fail2ban-ssh -j RETURN | ||
| + | COMMIT | ||
| + | # Completed on Mon Feb 19 17:37:45 2018 | ||
| + | </file> | ||
| ===== Notes ===== | ===== Notes ===== | ||
| - | Accounts on this machine is manually controlled. | + | [fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page) is installed, protecting against SSH bruteforce attacks. Don't mess up a login multiple times, as your IP will be banned. |