[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: opened OpenSSL port

erikmccaskey64 <erikmccaskey64@zoho.com> wrote:
> Main question: is it safe, to open a port for an openssl server? 

No, it's not 100% safe. One has to evaluate the risk vs requirement and
act accordingly.

> Is it secure? - it could be DOSed' [DenialofService] or could it be
> attacked in any way?

Yes, of course it can. A few hundred thousand bots hammering away at
your machine will likely bring it to its knees regardless of the security
you apply to the port itself - or even the service running on that port.

> Are there any iptables rule for restricting connections to dyndns names?
> e.g.: only allow connection from "asdfasdf.dyndns.com" and
> "asdfasdf2.dyndns.com" and "asdfasdf3.dyndns.com"?

No. Iptables is about IP addresses (and ports). Not names. But
/etc/hosts.allow could provide a level of protection for names matching,
e.g. "*.dyndns.org".

> How could i restrict the openssl server to only accept traffic from
> given clients? Please help me "think"..

You can put allowed users into an "can-ssh" group (/etc/groups) and then
apply a rule in ssh_config that only permits logins from user accounts
in that group.

> Or are there any "production ready" methods, that can do authentication
> too? [+using ssl]. "openssl s_server" and "openssl s_client" would be
> perfect, but the problem is it doesn't has username/password auth :\

I don't understand this. Ssh supports public/private key authentication,
with an optional fall-back to password. If you change the fall-back you
can force mandatory key authentication.


Reply to: