On Tue, Jul 22, 2008 at 12:12 AM, Guy Boisvert <boisvert.guy at videotron.ca> wrote: > Michael Gabriel wrote: >> >> just wanted to get some feedback from the community. Over the last few >> days I have noticed my web server and email box have attempted to ssh'd to >> using weird names like admin,appuser,nobody,etc.... None of these are >> valid users. I know that I can block sshd all together with iptables but >> that will not work for us. I did a little research on google and found >> programs like sshguard and sshdfilter. Just wanted to know if anyone had >> any experience with anything like these programs or have any other advice. >> I really appreciate it. >> > > I don't know if anybody on this list tried SPA (Single Packet > Authorization): > > http://www.linuxjournal.com/article/9565 > > > As another person mentioned earlier, the idea of using VPN is very good. > > I use pfSense and the VPN server inside gives the connecting user an address > on a virtual subnet. Each user is given a distinct fixed ip address. Then > it's easy to setup firewall rules based on what you allow the user to do. I > do 10 Mbps symmetric with a "recycled" 1U Dell PowerEdge 350 (PIII/800, 512 > Megs RAM). We do QoS (we have 1 WME Streaming Server, 1 Darwin Streaming On > Demand Server, FTP, DNS, SMTP, etc). The CPU usage is very low. I love > pfSense a lot. The only thing i struggled a little was when i tried to > authenticate the user with Active Directory (M$ IAS = RADIUS). It works but > i have yet to find a way to assign a fixed address to each user. I can do > this if i use pfSense integrated user manager (for VPN). > > In another place, i use a CentOS box as a remote gateway using SSH. I > changed the SSH Port, use DenyHost, force SSH V2 and forbid password login > (SSH Key login mandatory). I even got a VBS script for our Winblows users > that uses plink (member of the PuTTY Family) to connect, authenticate with > keys and launch RDP Terminal to connect to the Winblows Terminal Server (all > this automated). The only prompt the user has is for entering his remote > login name (the user must know it or the connection will be refused). > > I did an installer (with Nullsoft's NSIS) so allowed Winblows users can > install easily all this: The installer creates icons, protect SSH keys (NTFS > Encryption), etc... The installer is protected by a password. How do you get the keys to the server the first time after they're generated? Its kind of the chicken and an egg problem without the password authentication -- that's why I still have passwords turned on (but require __very__ strong passwords.)