El Tue, Jan 11, 2005 at 06:27:28PM +0100, Ralf Gesel|ensetter va escriure: > (Xpost) > > Hi there, > > as most of you will agree, it makes sense to have particular services of > your skolelinux system available remotely: > > - ssh for administration > - ssh for sftp > - ssh for NX > > Even though, we don't use a fix IP, today we had a visitor via ssh who > cracked a users password by bruteforce (this pupil happened to be in > some weird IRC channel). > > This makes me think. > > As long we can't make sure all pupils' / teachers' passwords are safe, > we rather should not allow ssh to them (as they don't use it for now, > anyway). But in order to give teachers the opportunity to work from > home, we will need some way to assure secure access. What solutions did > you choose? Something like portscanblocking and hidden (unusual) port > could be an option. Well, security by obscurity is not the best option, maybe a better idea would be to allow incoming connections from the outside using RSA/DSA keys only and limiting access to users on a specific 'trusted' group using the AllowGroups directive. I've done that on some places using another instance of the sshd running on port 2222 of the machine and mapping it to port 22 of the public address (maybe the same server can be used internally and externally, but I've never tried). -- Sergio Talens-Oliag <sto@debian.org> <http://people.debian.org/~sto/> Key fingerprint = 29DF 544F 1BD9 548C 8F15 86EF 6770 052B B8C1 FA69
Attachment:
signature.asc
Description: Digital signature