I'm a newbie to Linux. Over the past couple of months I have been messing around with CentOS and have finally got it in a usable state with Apache, MySQL, PHP, SSH and FTP. I was hoping I could get some advice on keeping this system secure, as it is public facing but mostly for development work. Here's my iptables script:
NMAP from another PC in the network:Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow Http
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow FTP (and passive ports)
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 50000:50050 -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
# Allow MySQL
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3306 -j ACCEPT
GRC's Shields Up! reports that only port 80 is open externally, which is what I want.Code:
Discovered open port 80/tcp on 192.168.0.103
Discovered open port 21/tcp on 192.168.0.103
Discovered open port 22/tcp on 192.168.0.103
As you can see, I am keeping FTP, SSH and MySQL all within my local network. I've noticed there are a few other services that would otherwise be exposed (Something beginning with RPC, forgot the other) which are firewalled with the above rules.
I've also uninstalled Postfix as I don't want to deal with the risk of spam.
Can anyone comment on the above rules and whether or not they're OK?
There are a few things which have gone through my mind but haven't been fully comprehended. Any elaboration on the following would be appreciated:
Do I need to worry about making a "chroot jail"? I don't understand this fully but I believe the idea is you limit the PHP and FTP users to within the public html directory...
I'm logging into SSH using the root account. Seeing as this is only within my local network, is that a big deal?
One minor thing I'd like to know about: Can I have iptables drop any connection attempts directly to my IP outside of the local network? I'm using no-ip and would rather not have my public IP responding to requests if possible.
Not sure what else I'm missing. Are there any gaping holes that a newbie is not likely to have addressed?
Thanks for your help!