News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Secure web server without blacklisting everything

Started by MarkoKg, November 08, 2017, 05:17:06 PM

Previous topic - Next topic

MarkoKg

Hey there,

I have a client with a server (linux based), which is locked for access unless specific IP of user is whitelisted. So if my IP is not whitelisted I can't access cPanel, ssh, ftp, nothing. And as my IP is dynamic and is changing from time to time - it's hard to depend of server support and their not so responsive actions.

Therefore, I'd like some advice about how to secure web server, without need to lock everything? I'm a noob when it comes to server administration, I know just basics, but I'm willing to hear and learn.

Do note that on server there's one SMF forum with Simple Portal, and few custom pages, one chat script and that's all.

Here's more details about the server:
GD version: bundled (2.1.0 compatible)
MySQL version: 5.5.58-cll
PHP: 5.6.26
Server version: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Colin

Use a VPN which should have a static IP or a subset of IPs that you can whitelist on your webserver. Connect to this VPN when you need to tunnel into make administrative server configuration changes.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

MarkoKg

Quote from: Colin on November 08, 2017, 05:41:11 PM
Use a VPN which should have a static IP or a subset of IPs that you can whitelist on your webserver. Connect to this VPN when you need to tunnel into make administrative server configuration changes.
Thanks for your answer.
Is that a only and the best solution? I mean isn't there safe way to let someone in apart from providing access for specific IP?

Apart from that, any suggestion about which VPN to use, which provider I mean?

Thanks!

Colin

If you are required to only allow access to an IP address or specific IP address range then yeah this is the best way I can think of.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

MarkoKg

Thanks Colin, although I'm asking for a better way to secure web server itself rather than blocking all IPs by default. Not really sure what's the best workaround there, as servers which I've worked on earlier didn't had this type of security measure.

LiroyvH

Well this is hard to say without context. Surely there must be a reason why they chose for such a rather agressive defense? Have you asked them?

There are multiple ways to protect your server. The base things are rather simple. But, with no offense, if you don't know how to do it and thus don't know what you're doing: why mess with the security? If it works fine for them but not for you, find an alternative route as suggested. Don't start weakening the security just for your convenience, especially not if you haven't got a clue what you're doing...

Its something you need to learn, but there is *a lot* to learn. Don't start messing with production servers if you don't know what you're doing yet, that's probably the best suggestion for this case.
Again, with no offense. :)
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

MarkoKg

None taken :) Thanks for your explanation, that actually makes sense for now.
Any suggestion about which VPN to use in that case?

Advertisement: