what are you trying to limit? your wife accessing the backend with a rouge unauthorized frontend in the basement?
| LinHES Forums http://forum.linhes.org/ |
|
| Configure backend to only listen on localhost? http://forum.linhes.org/viewtopic.php?f=17&t=10393 |
Page 1 of 1 |
| Author: | haertig [ Wed Jun 07, 2006 9:53 am ] |
| Post subject: | Configure backend to only listen on localhost? |
Is there a way to configure the backend to only listen on the localhost adapter? I have my firewall configured to only allow connections from localhost, but I like "layers of protection" and would also like to limit the backend seperately from the firewall, if possible. What I have: Code: # netstat -anp | grep LISTEN | grep myth tcp 0 0 0.0.0.0:6543 0.0.0.0:* LISTEN 5741/mythbackend tcp 0 0 0.0.0.0:6544 0.0.0.0:* LISTEN 5741/mythbackend What I want: Code: # netstat -anp | grep LISTEN | grep myth
tcp 0 0 127.0.0.1:6543 0.0.0.0:* LISTEN 5741/mythbackend tcp 0 0 127.0.0.1:6544 0.0.0.0:* LISTEN 5741/mythbackend |
|
| Author: | khrusher [ Wed Jun 07, 2006 12:51 pm ] |
| Post subject: | |
what are you trying to limit? your wife accessing the backend with a rouge unauthorized frontend in the basement?
|
|
| Author: | haertig [ Wed Jun 07, 2006 6:54 pm ] |
| Post subject: | |
khrusher wrote: what are you trying to limit? Just basic security. Step one is always to shut off all unneeded services. Step two is to limit those services you do need, to only those who really need them. I could go on and on about strong passwords, tight firewalls, partitioning and readonly filesystems, rings (layers) of security, etc. Have you ever wondered how many computers out there would be happy to let you waltz right on in by ssh-ing with a username of mythv and a password of mythtv (or some trivially close permutation to that)? It makes me shudder to think about it.
And no, the wife's rogue frontend in the basement does NOT need to talk to my backend.  And if the day ever comes that it DOES, it will have to authenticate with a pubkey, tunnel in an encrypted port forward via ssh, and carefully avoid all the other boobie trapped ports that will automatically generate an iptables rule to block it into oblivion! (Among other things!)
|
|
| Author: | tjc [ Wed Jun 07, 2006 7:03 pm ] |
| Post subject: | |
And I thought, *I* was a security paranoic...
|
|
| Author: | mac [ Thu Jun 08, 2006 6:44 am ] |
| Post subject: | |
My setup is simple. I don't have the myth box connected directlly to net, it is goes though a another linux box doing masquerading that is not listening on any ports except 22 and then only from the one 10.x.x.x address that I use to connect to it from. When I do want to get to my machine from the outside I set up a port forward just the IP I am tring to reach it from. My myth box is also running its own set of iptables rules.. So --- What I saying is that if you want another layer -- Any old box will do a good job with IP masq. |
|
| Page 1 of 1 | All times are UTC - 6 hours |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|