I appear to be attacking others

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tuesday 07 February 2006 18:08, ryan wrote:
> On Tuesday 07 February 2006 11:41 am, James Gagnon wrote:
> > But then again... one has to wonder how secure remote desktop for
> > windows really is... guess it's a win/lose situation =)
> 
> Not as secure as SSH....but I definitely think you are on to something.
> 
> An interesting solution is to have a really locked down but low-end machine 
> (p2/64 MB RAM) on your LAN that serves one purpose - to be an SSH server. 

I do something very similar. I work as a freelance admin at three different 
locations, all set up virtually the same: 

1) I have a host that does backups. It is a cheap-o system, lots of diskspace, 
running a backup script I wrote: http://www.effortlessis.com/backupbuddy/
2) SSHd is on a "goofy" port, somewhere high and random. 
3) I permit root without-password - RSA key needed to get in, passwords are 
irrelevant. 
4) Backup host accepts SSH connections from world - but there are NO PASSWORDS 
ON THE MACHINE. The only way to get in is as root, and then only with RSA 
(ssh2) keys. 
5) All other hosts on the network have DENY rules on their input for anything 
but from the backup host and my house. 
6) Since the backup host HAS to have root access to the other servers, (in 
order to read all the files!) then logging into the backup server (via RSA 
keys) gives access to all other hosts on the LAN. 
7) Backup host is some otherwise retired PII/PIII with a few hundred MB of RAM 
and a few cheapo pricewatch.com IDE drives globbed together with software 
RAID/LVM to provide gobs of cheap storage space. 

I've been using this framework for a few years now, and it's very successful. 
When I'm at "home" (home/office) I get unfettered SSH access to all the hosts 
via RSA keys. When I'm on vacation, and logging in via some hotel network to 
fix a problem, I login with my laptop via the backup host and then to the 
server in question to figure it out. 

Food for thought, hope it helps. 

-Ben 
-- 
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux