Tightening SSH access
This is a discussion on Tightening SSH access within the Linux Security forums, part of the System Security and Security Related category; On Sat, 09 Jul 2005 11:50:19 -0400, Carlos Moreno wrote: > Comments? (time to write to the OpenSSH ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-10-2005
|
|||
|
|||
Re: PermitRootLogin (was: Re: Tightening SSH access)
On Sat, 09 Jul 2005 11:50:19 -0400, Carlos Moreno wrote:
> Comments? (time to write to the OpenSSH guys with this feature > request? Or has this been addressed in the past?) Sounds like a good idea. By all means suggest it to the OpenSSH maintainers. I'm sure they would appreciate the user input. :) -- Jafar Calley Producer - http://moonlife-records.com -------------------------------------- See the latest Mars and Saturn images http://fatcat.homelinux.org 
|
|
07-11-2005
|
|||
|
|||
|
Re: PermitRootLogin (was: Re: Tightening SSH access)
you could also use Dynamic DNS to solve the thing about only "our
machines", a dns record plus a MAC address plus username and password... this is safe enough... or you could use a Dynamic DNS VPN with Public Certificates plus iptables plus username passw... plus a freakin BioMetric scanner
|
|
07-13-2005
|
|||
|
|||
|
Re: Tightening SSH access
In article <mcCze.38558$e64.1059880@wagner.videotron.net>, Carlos Moreno wrote:
> Is there a way to configure SSH + iptables such that it only accepts > logins coming from our machines? I tackled the problem in a different way. I have SSH configured with tcpwrappers (/etc/hosts.allow, hosts.deny) that normally only allow connections from the LAN. It's IP address (or IP range), not MAC, but this may be sufficient for you. But in addition I wrote a program called Ostiary that is, I respectfully submit, secure by inspection. It uses CHAP+HMAC with a SHA1 hash, and only allows a fixed set of commands to be run, with one argument: the IP that successfully authenticated. Buffer overflows and similar attacks are impossible. Mathematically speaking, brute force is Vanishingly unlikely to work (i.e. the sun will burn out first) and it has automatic lockout features to thwart dictionary attacks. I use it to temporarily enable SSH for whatever specific machine I happen to be on, and then SSH in. It even has a Java client now, so any Java-enabled web browser can be the client. (Combine that with a Java SSH client... :-> ) Perhaps I'm overly paranoid, but I don't worry about anyone breaking into my system via SSH, even if they somehow find a buffer overflow in SSH or something. And for simple remote admin tasks (e.g. restart webserver, etc.) SSH isn't needed at all. http://ingles.homeunix.org/software/ost/ -- Sincerely, Ray Ingles (313) 227-2317 "Open source code is not guaranteed nor does it come with a warranty." - the Alexis de Tocqueville Institute "I guess that's in contrast to proprietary software, which comes with a money-back guarantee, and free on-site repairs if any bugs are found." - Rary
|
Linear Mode
