I've got a number of servers at a hosting company that were configured prior to my becoming responsible for them. Traditionally, I've used SSH to do minor editing on servers, but more and more, I've come to rely on KDE's ability to 'speak' SSH to just browse (Konqueror) files on remote machines, edit them in an IDE (Quanta Plus). I use rsync to publish (actually synchronize) entire directory trees between development/staging/production areas.
The environment I find myself in now is unlike ones that I'm used to. SSH is allowed for some hosts while not for others. For most host access, you need to go through a single point of entry (sentry), and then ssh from there over the local network. (There is both a front-end network 10.x.x.x for the hosted machines, and a backend network 10.y.y.y). I'm still trying to understand what all this buys me in terms of security, but from my simple perspective of a developer, it buys me a large level of complication with no usability. I am not really sure what tricks I need to get rsync to go from box C (desktop) to box B (sentry) to box A (host) because I' ve only gone from C->A in the past. MySQL is not allowed for any external connection. I can't use any database administration tools on the databases - because I have no direct access to the database server on any machine, and even installing a 'client' on the server won't work because I can't ssh -X to that particular box (and it's not running an X server). So, (I could easily be opining on things which I do not know enough about) according to what I know about thwarting script kiddies, and having good security measures while still providing critical services, it seems like it would be a 'best practice' approach to open SSHd and MySQLd to known IP address(es) using stong passwords, and non-standard ports. Of course, this presumes having a hardened OS, secured MySQL server, and updated SSHd. Maybe it's time to go read that book about secure servers. _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
