1,106
edits
FeministWiki:Technical documentation: Difference between revisions
m
no edit summary
Technician (talk | contribs) (Mention IPv6 issues and Fail2ban.) |
Technician (talk | contribs) mNo edit summary |
||
| Line 40: | Line 40: | ||
There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections. This simplifies security auditing. | There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections. This simplifies security auditing. | ||
== Special DNS entries == | == Special DNS entries == | ||
| Line 102: | Line 86: | ||
|TXT || @ || google-site-verification=<key> | |TXT || @ || google-site-verification=<key> | ||
|} | |} | ||
== Firewall == | |||
The simple <code>ufw</code> firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp. | |||
UFW adds IPv6 rules by default, which can be prevented by using more explicit rules. Consider the following rule: | |||
ufw allow 12345/tcp # will allow TCP connections to port 12345 via IPv4 and IPv6 | |||
To limit this to IPv4 you can instead use this: | |||
ufw allow proto tcp to 0.0.0.0/0 port 12345 # will allow TCP connections to port 12345 via IPv4 only | |||
== Fail2ban == | |||
We use <code>fail2ban</code> to detect brute force attempts on some services. The git repository for scripts and config contains the relevant Fail2ban configuration under <code>etc/fail2ban</code>. | |||
== SSH access == | == SSH access == | ||