Edward Ned Harvey wrote: >> I am not sure. The idea is to protect the inner system. It may be >> that a simple port forwarding would accomplish that but I am not sure >> I can convince my boss. If I were to do a simple port forwarding this >> > > In that case ... > > Keep your sshd up to date. As long as you do this, sshd is a very reliable > good protocol nearly impossible for anyone to hack via any means other than > "blatant server misconfiguration" or "stupid user". Disallow root login via > ssh. Root is the only username that's pretty well guaranteed to exist on > every machine, and 99% of the time, an inbound ssh attack would be an > unintelligent root brute force (you can validate this just by looking at > your logs occasionally). At one point, I enabled super-verbose-debug sshd > to allow me to see the failed usernames & passwords in the log, and it's > really dumb, like "root/password" and "root/admin" and "root/root" etc. > Enforce a password complexity requirement. In my case, I have linux > authenticate against AD via kerberos, where it's really easy to have a > strong password policy. > > If possible, include a 2nd level of authentication, such as "both ssh key > and password required" or "password and secureid required" or something like > that, which makes any brute force attempt or stupid user preying irrelevant > too. Does anybody have any comments on how to do this? > > And then, simply open port 22 to the internet. > > Whenever I've done this, I have occasionally seen brute force attacks come > in and get correctly consistently denied - but it can still drive 100% cpu > usage on the server and/or heavy network traffic. So I also like to run > sshd on a nonstandard port. > > __ You need sshd on a standard port for your *users* to be able to use it. Hiding ssh on a strange port doesn't really add much protection. SecureID (or similar) access is good because it requires your users to use 'something they have' (the token generator). Tokens with PINs are better because they require both 'something they have' (the token) plus 'something they know' (the PIN). This is a two-factor password, and considered secure enough for most any commercial enterprise. *Do* keep your ssh daemon up to date, and do disallow root logins, both as recommended by Ned.
Using ssh as a gateway is certainly secure enough for most enterprises, although VPNs are more convenient for a lot of users (read: non-techie managers and salespeople, almost always on Windows. :-) - Richard _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
