web interface security

[Chris Green]

On Thu, Dec 29, 2016 at 12:20:41AM +1100, Karl Auer wrote:
> On Wed, 2016-12-28 at 12:04 +0000, Chris Green wrote:
> > On Wed, Dec 28, 2016 at 08:58:54AM +0000, thufir wrote:
> > > Whether it's a web server, or perhaps a web service, are there
> > > other  options?  To whitelist only one, or a few, IP
> > > addresses?  How effective would a white list be?
> > > 
> > This sounds more like what a firewall does easily.  My ADSL router's
> > firewall allows me to specify exactly what ports are open to what IP
> > addresses.
> 
> Provided it is the firewall component of your router doing the checks
> (not just NAT port forwarding), yes.
> 
Yes, it has a proper firewall as well as NAT port forwarding.  You
actually have to set up *both* port fowarding and the firewall to
allow access on a particular port.


> Most home networks are behind NAT, at least for IPv4, so if you have
> servers on your network you will have set up port forwarding.
> Regardless of whether you use NAT or not, tell your home router's
> firewall to allow only packets that meet certain criteria to reach
> certain machines. For example, you might say "allow packets belonging
> to established or related connections back in and allow TCP packets on
> port 22 to reach machine a.b.c.d". Then you block everything else.
> Remember to do this for IPv4 *and* IPv6.
> 
> Then make sure each individual system has its own firewall, especially
> for IPv6. These can usually be very simple.
> 
> By the way, I often find people who think the above precautions are
> paranoid. Five minutes with them watching actual traffic on their
> Internet router's outside address (and distressingly often, on their
> internal LAN) is usually enough to convince them. There is a steady
> rain of attacks, mostly automated, on pretty much every public Internet
> address in the world.
> 
Yes, if I allow ssh access from anywhere (rather than only allowing
certain IPs, in the firewall) I get incessant ssh attempts on my
desktop machine.

-- 
Chris Green