1 |
Hi, |
2 |
|
3 |
From a security point of view, your best shot is to use port knocking and one |
4 |
time passwords. Port Knocking will keep your server without open ports |
5 |
available for possible attacks and the one time passwords are a very secure |
6 |
way to send passwords even in plaintext. After that you can use your common |
7 |
techniques (not using root, using keys with passphrases in encrypted usb |
8 |
devices all all your paranoia can think of) |
9 |
|
10 |
If the machine is a common target of attacks then just open the ports you need |
11 |
(80 and 443 for apache if it's a LAMP machine), setup port knocking in high |
12 |
ports, even ssh running at high ports and tarpit all the others (tarpit is |
13 |
one very interesting option of iptables when compiled with the extensions use |
14 |
flag). This way a simple port scan will leave the attacker with the machine |
15 |
almost impossible to use, and setting the non tarpit closed ports for port |
16 |
knocking to work in high numbered ports means there's less chance of a port |
17 |
scan find them just closed and not tarpitted. I dunno if port knocking works |
18 |
with tarpitted ports, if it does it's even better. |
19 |
|
20 |
The problems with this setup are: |
21 |
- Port Knocking needs extra software to work, although very simple, you can |
22 |
write a wrapper around ssh client in minutes |
23 |
- one time passwords needs you to keep a list of passwords, all the dangers |
24 |
associated with that |
25 |
- instalation of this setup in a remote machine is very likely to go wrong and |
26 |
need phisical access. |
27 |
|
28 |
Good luck. |
29 |
|
30 |
Ricardo Loureiro |
31 |
|
32 |
On Thursday 12 October 2006 03:01, Peter Abrahamsen wrote: |
33 |
> Hi list, |
34 |
> |
35 |
> I'm looking for some opinions for a security decision. I need to |
36 |
> enable remote administrative access to critical systems living about |
37 |
> 3-4 hours from me and in another country. The systems will be running |
38 |
> LAMP, more or less. |
39 |
> |
40 |
> Which is a better idea, allowing key-only root access, or ssh'ing in |
41 |
> as myself and running su/sudo/whatever? Either way, I'll set up |
42 |
> iptables so that connection attempts from anywhere other than my |
43 |
> office are -j DROP'ed. |
44 |
> |
45 |
> Thanks, |
46 |
> |
47 |
> Peter |