|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-users] ip which is already being used can be taken bywindowsvps
> > > Some suggestions: > > > > 1. Make sure that anything that ever wants to talk to 1.1.1.1 uses SSL > > so that it can never be impersonated. Make sure that you pay attention > > if your ssh client ever complains that the key has changed. > > 2. Put each VM on a /30 network and route everything to it. It might be > > a pain to maintain but it greatly reduces the attack surface. > > 3. Use iptables to filter that port to make sure the source IP address > > is correct (remember to allow for DHCP queries if you use that - they > > will appear to come from 0.0.0.0 I think). > > 4. Install arpwatch (I think that's what it's called) that can notify > > if > > the relationship between a mac address and an IP address changes > > > > James > > > > If you're going to do #2, you may as well use /31s and save 2 IPs per host. > I'm sure I read somewhere, once upon a time, that Windows just didn't work with a /31. Could have been on the OpenVPN mailing list or docs that I read it. I could also have imagined it :) If you are using public IP addresses then by all means, try and use as few as possible. If you are using private addresses though, I don't think it's worth the fuss. James _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |