On Tue, Mar 25, 2008 at 11:28:45AM -0700, Tim Alberts wrote:
> >http://wiki.xdroop.com/space/Linux/Limited+SSH+Access
> >  
> That sounds great for getting around a remote dynamic IP address, but 
> some more authentication/security on that web page is necessary, 
> otherwise, anyone who finds that web page is given access?

Strictly speaking, yes; however in practice, the number of bots (or,
indeed, external users who are not me) who the magic web page to hit
(my actual page is not named as the example on the web page is!)
before attacking the ssh connection is zero; therefore since the goal
was to prevent stupid robots from brute-forcing my ssh and filling my
logs, it isn't necessary.  

I mean, strictly speaking you'd next have to insist on a proper SSL
connection to the web server, otherwise you are at risk of someone
sniffing the username and password used in the .htaccess process. 
And then after that, you'd have to insist on some kind of security on
the remote system to ensure that your passwords are not being
captured.  Etc, etc.  

-- 
 /\oo/\
/ /()\ \ David Mackintosh | 
         [EMAIL PROTECTED]  | http://www.xdroop.com

Attachment: pgpheBd6M3mv6.pgp
Description: PGP signature

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Reply via email to