Re: Securing SSH

From: security (security_at_kalamiteit.nl)
Date: 01/10/04

  • Next message: Kevin Johnson: "RE: Backported patches - vulnrability scanning"
    Date: Sat, 10 Jan 2004 03:40:14 +0100
    To: rolandv@xtra.co.nz, security-basics@securityfocus.com
    
    

    hi,
    you can of course allow a whole range / a domain to access a running
    service on your system through your /etc/hosts.allow, also you can add
    something like a "backdoor" that you have to trigger to get access to
    your machine, i find tools like SAdoor pretty nice (
    http://cmn.listprojects.darklab.org/ ).
     " /etc/hosts.allow

    sshd: LOCAL, .some.domain.org xxx.xxx.xxx.xxx XXX.XXX.XxX.XXX
    "
    that should allow your engineers that use dial up to always be able to
    log on, as their host will still be "something.some.domain.org" of
    course that gives access to all the ppl using that isp, but how many ppl
    do NOT use it. also try to use some hostname for your ip, like..
    register a hostname that points to your IP, and if the ISP changes your
    IP, you will always be able to change it..
    let me explain, your IP is 123.123.123.123 you got a domain that points
    to that ip let's say "home.host.org"(which is allowed in the
    /etc/hosts.allow), if the ISP changes the ip, you only need to tell
    "home.host.org" to point to the new ip, and you will be able to access
    your machine again!
    i hope you understand what i mean, as it is late here and i am pretty
    tired !

    cheers
    Amine
    Roland Venter wrote:

    >I need to manage several servers remotely via SSH, I'm interested in ways to
    >secure the connection and prevent unauthorised access.
    >
    >My thoughts:
    >Limit access to only allow remote connections from our management network
    >via iptables rules. Works but what if our ISP changes our fixed IP, which
    >means we are effectively locked out from all the servers and requires a site
    >visit to update the rules.
    >
    >We also need to provide access to engineers working from home using dialup,
    >etc
    >
    >Some sort of client certificates to supplement username and password,
    >
    >Recommendations on securing the SSH daemon etc
    >
    >Any ideas and tips or random thoughts appreciated
    >
    >Cheers,
    >Roland
    >
    >
    >
    >
    >
    >
    >---------------------------------------------------------------------------
    >Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    >course! All of our class sizes are guaranteed to be 10 students or less.
    >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    >and many other technical hands on courses.
    >Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    >any course!
    >----------------------------------------------------------------------------
    >
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------


  • Next message: Kevin Johnson: "RE: Backported patches - vulnrability scanning"

    Relevant Pages

    • RE: *warning* student question
      ... Read up on what offsets of the packets represents what flags, ... > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... All of our class sizes are guaranteed to be 10 students or less. ...
      (Security-Basics)
    • First Investigation - Need advice
      ... Ethical Hacking at the InfoSec Institute. ... All of our class sizes are guaranteed to be 10 students or less ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Online Universitties with Information Security Programs
      ... Ethical Hacking at the InfoSec Institute. ... All of our class sizes are guaranteed to be 10 students or less ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • looking for tool to find open ports and domains
      ... Ethical Hacking at the InfoSec Institute. ... All of our class sizes are guaranteed to be 10 students or less ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Patching IIS (was - RE: ASP security in HTML pages)
      ... Ethical Hacking at the InfoSec Institute. ... All of our class sizes are guaranteed to be 10 students or less ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)