[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Remote Access: Service vs. Security

El Tue, Jan 11, 2005 at 06:27:28PM +0100, Ralf Gesel|ensetter va escriure:
> (Xpost)
> Hi there,
> as most of you will agree, it makes sense to have particular services of 
> your skolelinux system available remotely:
> - ssh for administration
> - ssh for sftp
> - ssh for NX
> Even though, we don't use a fix IP, today we had a visitor via ssh who 
> cracked a users password by bruteforce (this pupil happened to be in 
> some weird IRC channel).
> This makes me think.
> As long we can't make sure all pupils' / teachers' passwords are safe, 
> we rather should not allow ssh to them (as they don't use it for now, 
> anyway). But in order to give teachers the opportunity to work from 
> home, we will need some way to assure secure access. What solutions did 
> you choose? Something like portscanblocking and hidden (unusual) port 
> could be an option.

  Well, security by obscurity is not the best option, maybe a better idea
  would be to allow incoming connections from the outside using RSA/DSA keys
  only and limiting access to users on a specific 'trusted' group using the
  AllowGroups directive.

  I've done that on some places using another instance of the sshd running on
  port 2222 of the machine and mapping it to port 22 of the public address
  (maybe the same server can be used internally and externally, but I've never
Sergio Talens-Oliag <sto@debian.org>   <http://people.debian.org/~sto/>
Key fingerprint = 29DF 544F  1BD9 548C  8F15 86EF  6770 052B  B8C1 FA69

Attachment: signature.asc
Description: Digital signature

Reply to: