[CentOS] I appear to be attacking others
Benjamin Smith
lists at benjamindsmith.com
Sat Feb 11 08:44:08 UTC 2006
On Tuesday 07 February 2006 18:08, ryan wrote:
> On Tuesday 07 February 2006 11:41 am, James Gagnon wrote:
> > But then again... one has to wonder how secure remote desktop for
> > windows really is... guess it's a win/lose situation =)
>
> Not as secure as SSH....but I definitely think you are on to something.
>
> An interesting solution is to have a really locked down but low-end machine
> (p2/64 MB RAM) on your LAN that serves one purpose - to be an SSH server.
I do something very similar. I work as a freelance admin at three different
locations, all set up virtually the same:
1) I have a host that does backups. It is a cheap-o system, lots of diskspace,
running a backup script I wrote: http://www.effortlessis.com/backupbuddy/
2) SSHd is on a "goofy" port, somewhere high and random.
3) I permit root without-password - RSA key needed to get in, passwords are
irrelevant.
4) Backup host accepts SSH connections from world - but there are NO PASSWORDS
ON THE MACHINE. The only way to get in is as root, and then only with RSA
(ssh2) keys.
5) All other hosts on the network have DENY rules on their input for anything
but from the backup host and my house.
6) Since the backup host HAS to have root access to the other servers, (in
order to read all the files!) then logging into the backup server (via RSA
keys) gives access to all other hosts on the LAN.
7) Backup host is some otherwise retired PII/PIII with a few hundred MB of RAM
and a few cheapo pricewatch.com IDE drives globbed together with software
RAID/LVM to provide gobs of cheap storage space.
I've been using this framework for a few years now, and it's very successful.
When I'm at "home" (home/office) I get unfettered SSH access to all the hosts
via RSA keys. When I'm on vacation, and logging in via some hotel network to
fix a problem, I login with my laptop via the backup host and then to the
server in question to figure it out.
Food for thought, hope it helps.
-Ben
--
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978
More information about the CentOS
mailing list