[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] ip which is already being used can be taken by windowsvps

  • To: "xen-users@xxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: Nathan Eisenberg <nathan@xxxxxxxxxxxxxxxx>
  • Date: Sun, 18 Oct 2009 00:42:07 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US
  • Delivery-date: Sun, 18 Oct 2009 00:43:34 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: AcpPaaNIlsyG3zAPStazlSGOhuEQcQAKMebAAAzy9cA=
  • Thread-topic: [Xen-users] ip which is already being used can be taken by windowsvps
> Some suggestions:
> 
> 1. Make sure that anything that ever wants to talk to 1.1.1.1 uses SSL
> so that it can never be impersonated. Make sure that you pay attention
> if your ssh client ever complains that the key has changed.
> 2. Put each VM on a /30 network and route everything to it. It might be
> a pain to maintain but it greatly reduces the attack surface.
> 3. Use iptables to filter that port to make sure the source IP address
> is correct (remember to allow for DHCP queries if you use that - they
> will appear to come from 0.0.0.0 I think).
> 4. Install arpwatch (I think that's what it's called) that can notify
> if
> the relationship between a mac address and an IP address changes
> 
> James
> 

If you're going to do #2, you may as well use /31s and save 2 IPs per host.

Best Regards,
Nathan Eisenberg


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.