Re: Remote administration of a server

To: debian-user@lists.debian.org
Subject: Re: Remote administration of a server
From: Robert Brockway <rbrockway@opentrend.net>
Date: Fri, 17 Jun 2005 13:34:34 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.61.0506171326300.2309@mimosa.opentrend.net>
In-reply-to: <[🔎] 42B28450.4070309@gmail.com>
References: <[🔎] 42F55779.6030802@gmail.com> <42B1C634.2050207@bak.rr.com> <[🔎] 42B28450.4070309@gmail.com>

On Fri, 17 Jun 2005, Mitja Podreka wrote:

> I have ADSL connection without fixed IP, can I then set some kind of IP net
> mask to restrict access from other IP?

Yes you can.  SSh can do this itself (if compiled against TCP Wrappers), 
or better you can get a firewall to do it.

It is generally accepted that if you block password access and use PKI 
authentication only then further restricting access based on IP is not 
necessary.

OTOH people do do this - We have one client who wanted us to do this with 
some of their externally visible systems.

Here are a couple of things to consider:

1. The principals of least privilege and security in depth both endorse 
   restricting the IP if you can.

2. If there is a remote exploit in sshd or something it relies on (like a 
   library) you can rest easier if you know you've restricted access via 
   IP.

Rob

-- 
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Ph: +1-416-669-3073 Email: rbrockway@opentrend.net http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest http://www.spi-inc.org

Reply to:

References:
- Remote administration of a server
  - From: Mitja Podreka <mojdebian@gmail.com>
- Re: Remote administration of a server
  - From: Mitja Podreka <mojdebian@gmail.com>

Prev by Date: Re: [SOLVED] hplip and its "toolbox"
Next by Date: Re: Using Cedega
Previous by thread: Re: Remote administration of a server
Next by thread: Re: Remote administration of a server
Index(es):
- Date
- Thread