| 1 |
Hi, |
| 2 |
|
| 3 |
From a security point of view, your best shot is to use port knocking and one |
| 4 |
time passwords. Port Knocking will keep your server without open ports |
| 5 |
available for possible attacks and the one time passwords are a very secure |
| 6 |
way to send passwords even in plaintext. After that you can use your common |
| 7 |
techniques (not using root, using keys with passphrases in encrypted usb |
| 8 |
devices all all your paranoia can think of) |
| 9 |
|
| 10 |
If the machine is a common target of attacks then just open the ports you need |
| 11 |
(80 and 443 for apache if it's a LAMP machine), setup port knocking in high |
| 12 |
ports, even ssh running at high ports and tarpit all the others (tarpit is |
| 13 |
one very interesting option of iptables when compiled with the extensions use |
| 14 |
flag). This way a simple port scan will leave the attacker with the machine |
| 15 |
almost impossible to use, and setting the non tarpit closed ports for port |
| 16 |
knocking to work in high numbered ports means there's less chance of a port |
| 17 |
scan find them just closed and not tarpitted. I dunno if port knocking works |
| 18 |
with tarpitted ports, if it does it's even better. |
| 19 |
|
| 20 |
The problems with this setup are: |
| 21 |
- Port Knocking needs extra software to work, although very simple, you can |
| 22 |
write a wrapper around ssh client in minutes |
| 23 |
- one time passwords needs you to keep a list of passwords, all the dangers |
| 24 |
associated with that |
| 25 |
- instalation of this setup in a remote machine is very likely to go wrong and |
| 26 |
need phisical access. |
| 27 |
|
| 28 |
Good luck. |
| 29 |
|
| 30 |
Ricardo Loureiro |
| 31 |
|
| 32 |
On Thursday 12 October 2006 03:01, Peter Abrahamsen wrote: |
| 33 |
> Hi list, |
| 34 |
> |
| 35 |
> I'm looking for some opinions for a security decision. I need to |
| 36 |
> enable remote administrative access to critical systems living about |
| 37 |
> 3-4 hours from me and in another country. The systems will be running |
| 38 |
> LAMP, more or less. |
| 39 |
> |
| 40 |
> Which is a better idea, allowing key-only root access, or ssh'ing in |
| 41 |
> as myself and running su/sudo/whatever? Either way, I'll set up |
| 42 |
> iptables so that connection attempts from anywhere other than my |
| 43 |
> office are -j DROP'ed. |
| 44 |
> |
| 45 |
> Thanks, |
| 46 |
> |
| 47 |
> Peter |
Archives