Another option would be port-knocking or single-packet authentication. These are comparatively simple methods of opening a port only to a specific address which has demonstrated they know the pre-determined "combination" or is in possession of a cryptographic key you have issued them. As such, they are only useful if the client user is known to you, so you can get them to perform the required connecting procedure.
It's pretty easy now to use the '-recent' match to create your own simple port-knocking solution entirely within iptables. http://serverfault.com/questions/314604/setup-port-knocking-with-iptables-on-single-port You can leverage Shorewall to create a more generally useful solution: http://www.shorewall.net/PortKnocking.html There are a variety of packages available for port-knocking (daemons and clients both), or you can create your own scripts: http://portknocking.org/ If your security needs are greater, you might prefer single-packet authentication, which is more secure. Fwknop is a good package for single packet authentication: http://www.cipherdyne.org/fwknop/ I have also scripted my own single-packet authentication solution before. So, that is entirely possible if you prefer.
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
