Re: configure ssh-access
On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote:
> Le 12240i?me jour apr?s Epoch,
> Mario Ohnewald ?crivait:
> > I think this problem should not be solved with configuring sshd.
>
> Wrong... You can configure sshd to accept only login from recognized keys,
> and let the firewall open.
If there is an exploitable bug in that code, you're screwed, and the whole
world can crack your machine. It's not really a problem to allow ssh access
from the whole world, execpt when there's a problem with ssh. What you
should try to do is limit the chance people have to crack your machine
before you can do something about it. By allowing connections from only a
few IP address blocks, you cut out most of the crackers in the world, but
don't have to mess with dynamic DNS and lack of reverse lookup; A good
tradeoff between security and convenience. I suppose filtering with
iptables is really the way to do it, but using ssh's built-in AllowUsers is
still at least somewhat useful. I don't know how much code in sshd runs
before AllowUsers is checked, but I hope not too much, so as to minimize the
risk of bugs.
> > I solved it with iptables script which resolv my dynamic host every 5mins,
> > and then reload the firewall if needed.
>
> So, on some case, you must wait 5 mins to connect ?
Yeah, I agree that this is going too far, unless you are trying to protect
secrets that require armed guards in the real world, to back up the extreme
paranoia in the virtual world.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug.n , s.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC
Reply to: