On 12/19/05, Greg Rundlett <[EMAIL PROTECTED]> wrote:
It's another layer. One place I was at did that. The SSH server was rebooted every week to break external connections.
On C:
xterm -e 'ssh B -L 44001:A:22'
rsync -e "ssh -p 44001" /local-src-on-C localhost:/remote-dest-on-A
So "ssh -p 44001" localhost gets you to A
ssh B -L 3306:MySQL_Server:3306 # assuming the MySQL server is reachable from B
Now point your MySQL tools on your desktop at localhost and they get forwarded to port 3306 on the MySQL server (which is MySQL)
Using this, you use the GUI on your desktop and the server doesn't have the potential security holes, RAM and CPU usage introduced by a GUI.
If B can get to everything internally, you can forward any TCP port you'd like.
The environment I find myself in now is unlike ones that I'm used to.
SSH is allowed for some hosts while not for others. For most host
access, you need to go through a single point of entry (sentry), and
then ssh from there over the local network. (There is both a
front-end network 10.x.x.x for the hosted machines, and a backend
network 10.y.y.y). I'm still trying to understand what all this buys
me in terms of security, but from my simple perspective of a
It's another layer. One place I was at did that. The SSH server was rebooted every week to break external connections.
developer, it buys me a large level of complication with no usability.
I am not really sure what tricks I need to get rsync to go from box C
(desktop) to box B (sentry) to box A (host) because I' ve only gone
from C->A in the past.
On C:
xterm -e 'ssh B -L 44001:A:22'
rsync -e "ssh -p 44001" /local-src-on-C localhost:/remote-dest-on-A
So "ssh -p 44001" localhost gets you to A
MySQL is not allowed for any external connection. I can't use any
database administration tools on the databases - because I have no
direct access to the database server on any machine, and even
installing a 'client' on the server won't work because I can't ssh -X
to that particular box (and it's not running an X server).
ssh B -L 3306:MySQL_Server:3306 # assuming the MySQL server is reachable from B
Now point your MySQL tools on your desktop at localhost and they get forwarded to port 3306 on the MySQL server (which is MySQL)
Using this, you use the GUI on your desktop and the server doesn't have the potential security holes, RAM and CPU usage introduced by a GUI.
If B can get to everything internally, you can forward any TCP port you'd like.
So, (I could easily be opining on things which I do not know enough
about) according to what I know about thwarting script kiddies, and
having good security measures while still providing critical services,
it seems like it would be a 'best practice' approach to open SSHd and
MySQLd to known IP address(es) using stong passwords, and non-standard
ports. Of course, this presumes having a hardened OS, secured MySQL
server, and updated SSHd.
Maybe it's time to go read that book about secure servers.
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
--
A strong conviction that something must be done is the parent of many bad measures.
- Daniel Webster
