opened OpenSSL port

Dominik Psenner dpsenner at gmail.com
Sun Feb 27 14:20:12 UTC 2011 

Every open port is like a door. As long the lock is good you won't have
problems. :-)

My personal facorite is:
Have SSHd open and running with fail2ban in the background that watches
the logs for abnormal logins and when detected block those IPs for some
time like 5 minutes. Every brute-force break-in attempt is unfeasible.
It can also detect DDOS attacks.

For servers that require high security:
Block all IPs but only a few. When you need to log-in you can log into
one of those servers that are not blocked and from there ssh into the
high-security server.
-- 
Dominik Psenner
## OpenPGP Key Signature #################################
# Key ID: B469318C                                       #
# Fingerprint: 558641995F7EC2D251354C3A49C7E3D1B469318C  #
##########################################################

On 02/27/2011 10:50 AM, erikmccaskey64 wrote:
> 
> Main question: is it safe, to open a port for an openssl server? 
> 
> e.g.:
> 
> server side - generate a self-signed cert.
> time openssl req -x509 -nodes -days 365 -newkey rsa:8192 -keyout
> mycert.pem -out mycert.pem
> openssl s_server -accept 52310 -cert mycert.pem
> 
> Is it secure? - it could be DOSed' [DenialofService] or could it be
> attacked in any way?
> 
> Are there any iptables rule for restricting connections to dyndns names?
> 
> e.g.: only allow connection from "asdfasdf.dyndns.com" and
> "asdfasdf2.dyndns.com" and "asdfasdf3.dyndns.com"?
> 
> How could i restrict the openssl server to only accept traffic from
> given clients? Please help me "think"..
> 
> Or are there any "production ready" methods, that can do authentication
> too? [+using ssl].
> "openssl s_server" and "openssl s_client" would be perfect, but the
> problem is it doesn't has username/password auth :\
> 
> Thank you for any help.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110227/9cec3873/attachment.sig>

More information about the ubuntu-users mailing list