Debian bastion host
Hello,
I am setting up a bastion host, so that all my NOC engineers would ssh
to it first, before telneting to the network devices(routers),
I cant provide ssh on the routers, so i am working around it, by
adding an extra hop that would provide encryption, at least from their
position to the server, and to apply some detailed logging, and last
but not least, enforce a policy and mitigate per PC problems(worms,
intrusion,...)
I dont have much *nix background compared, probably more into
networks, i;ve done my home work, its just that you have to be a
sysadmin, to see the whole picture and pinpoint needed
resources/configurations, thats why i am seeking advice from Linux
experts here:
This server is a Pentium 3 - 500 MHz, 128 MB, NIC: 3com 3c905C-TX/TX-M.
My needs/ideas are:
1) I will restrict ssh only to subnets that NOC are connected to and
they cant connect to any devices from there except the management
subnets.
2) Users will have an account on the box that they only need to use
the binaries (telnet, traceroute, ping ) how do i only restrict them
to be able to use thes and more later ?
3) I am going to have like 40 people ssh logged to the box, and from
there telnetting to routers, do i need to worry about anything, like:
- Number of VTYs, is it relative to RAM ?
- Kernel recompilation to remove un-necessary services.
- Any other points to consider ?
Many thanks
Regards
Reply to: