web interface security
Karl Auer
kauer at biplane.com.au
Wed Dec 28 13:20:41 UTC 2016
On Wed, 2016-12-28 at 12:04 +0000, Chris Green wrote:
> On Wed, Dec 28, 2016 at 08:58:54AM +0000, thufir wrote:
> > Whether it's a web server, or perhaps a web service, are there
> > other options? To whitelist only one, or a few, IP
> > addresses? How effective would a white list be?
> >
> This sounds more like what a firewall does easily. My ADSL router's
> firewall allows me to specify exactly what ports are open to what IP
> addresses.
Provided it is the firewall component of your router doing the checks
(not just NAT port forwarding), yes.
Most home networks are behind NAT, at least for IPv4, so if you have
servers on your network you will have set up port forwarding.
Regardless of whether you use NAT or not, tell your home router's
firewall to allow only packets that meet certain criteria to reach
certain machines. For example, you might say "allow packets belonging
to established or related connections back in and allow TCP packets on
port 22 to reach machine a.b.c.d". Then you block everything else.
Remember to do this for IPv4 *and* IPv6.
Then make sure each individual system has its own firewall, especially
for IPv6. These can usually be very simple.
By the way, I often find people who think the above precautions are
paranoid. Five minutes with them watching actual traffic on their
Internet router's outside address (and distressingly often, on their
internal LAN) is usually enough to convince them. There is a steady
rain of attacks, mostly automated, on pretty much every public Internet
address in the world.
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
More information about the ubuntu-users
mailing list