Re: Questions on secure remote access to Fedora Core 2


On Fri, 27 Oct 2006 01:42:21 +0200, Ertugrul Soeylemez wrote:

Now that you say that everything works, I'd like to clear a few things
up, as it seems that there is a lot of misconception.

Good evening, E.S.

I don't know if I'd say "everything works", exactly :-) ... It's getting
there, actually getting there faster than I thought it would (thanks
mostly to you guys), but it still has a ways to go.

As for misconception ... uh huh, lots and lots of that :-). Again, thanks
to you guys, it's being chipped away bit by bit.

The first thing is: host-based filtering is bad -- really bad! It's
not secure at all, because hostnames (e.g. IP addresses) can be forged.

Right, I actually learned this the hard way not so very long ago. :-\

I'm using host-based filtering only as one (minor) tool in the toolbox
among some more powerful ones. As you say, it adds a bit of security, and
every little bit helps these days.

If you really need a live connection to the server (which I can't
imagine), then SFTP is probably a good idea.

Yeah, we do need that. We need to store things on a secure FTP server,
and also are using Subversion for document revision control. So far I
have SFTP working, and svn+ssh is sort of working. Haven't figured out
how to generate and apply keys yet, but that's next.

If all machines are Linux-based, then Network Block Devices [2] are a
good idea, too. They can be encrypted/decrypted locally, such that no
single plain-text byte ever enters the wire.

That's the first I've heard of Network Block Devices. I'll study up on
that. It sounds like a useful tool.

However ... if I'm using only SSH-based connections (SSH, SFTP, svn+ssh),
don't they also prevent a single plain-text byte from entering the wire?

Cryptographic VPNs are also a very good idea to protect not only file
data, but any data that is passed through the network. VPNs can be used
to create a virtual network inside of an existing one. To the user it
appears just like any other network, but everything in it is encrypted
and authenticated.

Would a cryptographic VPN be "better" than SSH and friends, assuming I get
the SSH keys set up correctly?

I think that what I would like to do is finish up a correct and secure
implementation of SSH and friends, since that's sort of "almost" working,
and then once that is up and running, I can start studying up on OpenVPN.
Does that sound like a reasonable approach?


.

Relevant Pages

  • Net::SFTP and Net::SSH::Perl hangs or disconnets. Help needed.
    ... and files by request in a very large network over SSH and SFTP. ... sub sftp_partial_upload_init { ...
    (comp.lang.perl.modules)
  • Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
    ... >> I start by not giving logins and SSH access to users I don't trust. ... a network topology which goes around the ... >> firewall and thus is a serious hole to network security. ... >> have access via UPnP to, well, anything that device might happen to ...
    (Firewall-Wizards)
  • Re: Security Breached
    ... I have a typical home network that looks like this: ... on both the DMZ and port forward questions. ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...
    (alt.computer.security)
  • Re: Questions on some wierd /var/log entries
    ... How do I find out if I'm on an ipv6 network? ... That is because I prefer using iptables directly. ... then you should start learning about its firewall ... Another important restriction for ssh is to authenticate by certificate ...
    (comp.os.linux.misc)
  • Re: use ipchains to block all ports > 60,000
    ... Now what version of ssh is ... Put the suggested hub between the box and the internet, ... >> By temporarily breaking the network connection and inserting a hub ... evidence of users you know not of appearing on ...
    (comp.os.linux.security)