[CentOS] Security advice, please

Bill Campbell centos at celestial.com
Wed Dec 24 17:43:19 UTC 2008


On Wed, Dec 24, 2008, jkinz at kinz.org wrote:
>Top posting to ask a question regarding the article below:
>
>Hi Warren, Nice explanation.  I would like to ask what you
>recommend people do if they want to be able to ssh in from 
>anywhere on the internet. Say they are going to be traveling and
>they know they will have to login from machines they have no
>control over, like an internet cafe or a Hotel's business
>services suite? 

I always have my laptop with me, and have systems here configured to (a)
accept only authorized_keys, (b) allow access from any IP, and (c) use
fail2ban to limit the number of log entries from failed attempts to access
the systems.  All logins to our customer sites are then initiated from
inside our network once I have established the initial connection from the
remote location so those connections can be much more restrictive if
necessary.

One possibility would be to have a machine configured to allow password
access from the world which one could log into, then execute ssh-agent, and
ssh-add (with a strong pass phrase) on that machine to get access to other
systems on your network.

If there is some reason that an ssh cannot be established, usually it's
possible to connect with OpenVPN, which works nicely behind NAT firewalls
and does not require kernel hacking on CentOS as things like PPTP do.

You make the job much more difficult when asking that you be able to get in
from any old machine you might find in public space.  Other than the fact
that the owners of these machines generally don't allow people to install
software on them, I would be very reluctant to do anything on them that
involved secure logins as who knows what key capture or other spyware is
running on them.

One may be able to access you systems using webmin or its usermin module
over an SSL connection, and webmin has a terminal interface allowing one to
get a connection to systems.  If I remember correctly, this does require
Java(tm) on the connecting machine, and that webmin be configured to permit
use of the terminal module.

I much prefer restrict webmin and usermin access though as I have seen far
too many systems cracked through it because it only has username, password
authentication, and too many times, user's passwords are easily cracked.
Once somebody is logged into usermin, for instance, they may have access to
tools such as the chfn (change finger information) command which at one
time on SuSE systems allowed them to change their uid to ``0'' and gain
root access to the system.

In summary, I would be extremely reluctant to allow access from public
machines where there is no assurance how much malware is running on top of
the Microsoft virus, Windows.  It's very easy to revoke authorized_keys or
OpenVPN access for a lost or stolen laptop.  Allowing password access by
any means opens up a large can of worms.

...
Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

If the government can take a man's money without his consent, there is no
limit to the additional tyranny it may practise upon him; for, with his
money, it can hire soldiers to stand over him, keep him in subjection,
plunder him at discretion, and kill him if he resists.
	Lysander Spooner, 1852


More information about the CentOS mailing list