These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Linux Firewall on the new forum.
This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.
Yes, you can do this in two ways: "selected users" have static IP (all of them) or you could go with port knocking. Only simple solution is if "selected users" have static IP as for port knocking you must use more than just usual FTP software. Personally i think this is just waste of time and i dont see the point in doing such thing.
If you are afraid in brute force attacks just install fail2ban.
- I often come to the conclusion that my brain has too many tabs open. - Failing at desktop publishing & graphic design since 1994.
Thanks, just wanted to secure as far as possible for basic level of PCI Compliance so wanted to lock down as far as possible, the particular user concerned doesn't have a fixed IP so wanted to try and block the port except to one user.
You can always change default port for FTP, SSH, Webmin, Usermin... but then you must provide new info to your users. Aside of Webmin and Usermin other services have pros and cons if you change default port, just to mention few of them: pros - bots picking up standard ports will stop bothering you, log files will not be full of failed login attempts, you dont need to worry too much if your users have used strong and nonstandard passwords... cons - some other services could not work on non-standard ports, in case of ssh you have a chance of local users can cause a DoS attack (real chance to happen is really low but worth to consider in shared hosting environment with hundreds of users), port scanners will mange to pick up sooner or later your ports (still classic bots will not be present)...
Either way if you want to change go for ports bigger than 1024 as anything lover is usually reserved and could cause some conflicts.
If you dont know what i'm talking then my advice is to google all this before you take a chance or pay someone to do the job instead of you.
- I often come to the conclusion that my brain has too many tabs open. - Failing at desktop publishing & graphic design since 1994.
Yes, you can do this in two ways: "selected users" have static IP (all of them) or you could go with port knocking. Only simple solution is if "selected users" have static IP as for port knocking you must use more than just usual FTP software. Personally i think this is just waste of time and i dont see the point in doing such thing.
If you are afraid in brute force attacks just install fail2ban.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Thanks, just wanted to secure as far as possible for basic level of PCI Compliance so wanted to lock down as far as possible, the particular user concerned doesn't have a fixed IP so wanted to try and block the port except to one user.
You can always change default port for FTP, SSH, Webmin, Usermin... but then you must provide new info to your users. Aside of Webmin and Usermin other services have pros and cons if you change default port, just to mention few of them: pros - bots picking up standard ports will stop bothering you, log files will not be full of failed login attempts, you dont need to worry too much if your users have used strong and nonstandard passwords... cons - some other services could not work on non-standard ports, in case of ssh you have a chance of local users can cause a DoS attack (real chance to happen is really low but worth to consider in shared hosting environment with hundreds of users), port scanners will mange to pick up sooner or later your ports (still classic bots will not be present)...
Either way if you want to change go for ports bigger than 1024 as anything lover is usually reserved and could cause some conflicts.
If you dont know what i'm talking then my advice is to google all this before you take a chance or pay someone to do the job instead of you.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.