Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] remote access to server
- Date: Sun, 4 Jun 2017 15:17:00 +0900
- From: Curt Sampson <cjs@example.com>
- Subject: Re: [tlug] remote access to server
- User-agent: Mutt/1.5.23 (2014-03-12)
On 2017-06-03 14:59 +0900 (Sat), Furkan Mustafa wrote:
> * Disable password login from /etc/ssh/sshd_config and use only public
> key authentication.
Right. Also set `PermitRootLogin no`. These two things do more to
protect your system than pretty much anything else and are also
amongst the very simplest and cheapest things to do.
I feel that trying to go much beyond this is a bad idea; the problems
with more complex configurations layered on top of this range from
accidentally cutting off access for yourself to accidentally opening
up holes that you'd thought you'd closed. (For example, I've seen
configurations where sysadmins have tried to require both a public key
AND a password, but what looked like a simple configuration changes
later turned out to have a non-obvious side effect of changing this to
public key OR password, effectively removing all the security they'd
gotten from requiring a public key.)
On 2017-06-03 18:24 +0100 (Sat), Darren Cook wrote:
> One to add to the list of techniques so far, is the use of ipset. We use
> this to control access to admin websites. E.g. one of our iptables
> entries is:
>
> -A INPUT -p tcp --dport 443 -m set --match-set myip src -j ACCEPT
>
> I use this manually over ssh. E.g. if I'm at a coffee shop and need to
> use an admin page, I will first find out my public ip, then ssh in and
> (as root) run:
>
> ipset add myip 1.2.3.4
>
> In fact, in that example I would actually do:
>
> ipset add myip 1.2.3.4 timeout 3600
This is a perfect example of additional complexity making things less
secure. Just block all admin access to any address but 127.0.0.1 on
the server and use SSH port forwarding to access the admin server on
that address. Now you not only have massively reduced your chance of
misconfiguring things, but you also don't open up access for anybody
else using "your" IP address (such as everybody else on a LAN that
accesses the Internet via NAT).
cjs
--
Curt Sampson <cjs@example.com> +81 90 7737 2974
To iterate is human, to recurse divine.
- L Peter Deutsch
- References:
- [tlug] remote access to server
- From: Kevin Sullivan
- [tlug] remote access to server
- Prev by Date: Re: [tlug] remote access to server
- Next by Date: Re: [tlug] remote access to server
- Previous by thread: Re: [tlug] remote access to server
- Next by thread: Re: [tlug] remote access to server
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |