I am restricted SSH-access now to my own ip, so nobody else can use SSH unless he logs in at localhost. (In the datacenter)

Is there still any good in installing a firewall? Is there still any good in disabling non-used ssh-users? Is there still any good in only accepting sshv2?

Hey,

Any layer of additional security you can add is good. The more layers, the better off you are...

Yes, you should use ssh2 and disable/not allow ssh1.

Of course, these are my opinions.

David

There's a lot more to a firewall besides ssh blocking.

The days when you could safely run a server on the 'net without a firewall are long since past.

Look at the threads here for the KISS firewall for iptables.

It's easy to set up, and it's a good start.

Jeff

Well, I beleive it only blocks certain ports and you can make it block ip's?

What can a software firewall do more?

Originally posted by DennisCitus
Well, I beleive it only blocks certain ports and you can make it block ip's?
I don't know what you mean by "it".

Do you mean iptables? Do you mean KISS?

Do you mean something else?

iptables is an immensely powerful firewall in and of itself; see the website here (http://www.netfilter.org/) .

What can a software firewall do more?
Here are some of the things it can do, quoted from their website:

Main Features
* stateless packet filtering (IPv4 and IPv6)
* stateful packet filtering (IPv4)
* all kinds of network address and port translation (NAT/NAPT)
* flexible and extensible infrastructure
* multiple layers of API's for 3rd party extensions
* large number of plugins/modules kept in 'patch-o-matic' repository

What can I do with netfilter/iptables?
* build internet firewalls based on stateless and stateful packet filtering
* use NAT and masquerading for sharing internet access if you don't have enough public IP addresses
* use NAT to implement transparent proxies
* aid the tc and iproute2 systems used to build sophisticated QoS and policy routers
* do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header
See the article "The Hidden Treasures of iptables", from Linux Journal magazine, April 2004, Page 24, available online here (http://www.linuxjournal.com/article.php?sid=7180) .

KISS is a rather simple interface to iptables, which is generally powerful enough for most webhosters.

Jeff