If you have a webserver / webapp, database and Webmin all on the same Linux machine, and you want to secure them for the internet; is it a good idea to only leave open the SSH, and web ports (443 and 80) and bind all the other private services (webmin, adminer or phpmyadmin, and database ports) only to the local loop back address (127.0.0.1, ::1), and then secure SSH with a 4096-bit public / private RSA key, prevent password-based authentication and root logins...and finally only access these private services using SSH Local Forwarding?
I was thinking too to limit the ip or mac address of the machines that are allowed to access it in it's firewall.
Anything I missed here?
[img]http://home.pct.edu/~leeand00/Hole in the Ozone Layer.gif
- A Man is not an island...that's why we have fourms!
Generally placing a machine in an DMZ zone with ports being forwarded from the Public to it, poses security risks. If all these services must run on the same box, then you do have limited options, however splitting them between two or more servers could provide a wise tactic.
These days, the deployment of servers/services accessed by the public, should also be accompanied by the installation of Firewalls and IPS systems, especially if we are taking about an organization.
Use the strongest possible encryption for SSH, limit access for specific accounts from which you can then SU to gain elevated privileges. As far as binding the services to the localhost - I'm not really sure if this can work, but it sounds like an interesting idea, however something tells me that it might not just be enough.
Finally, if you are able to limit the IP addresses that will have access to the server, then do it - no question asked, especially if there is no IPS and other means of protection such as advanced firewalls etc.