1 |
On Sun, 3 Feb 2008 07:27:12 -0800 |
2 |
Grant <emailgrant@×××××.com> wrote: |
3 |
|
4 |
> > > Well thank you for that. I had planned on setting up port |
5 |
> > > knocking for ssh and cups but I guess I'm just as well off |
6 |
> > > leaving them listening on 22 and 631? |
7 |
> > |
8 |
> > Fail2Ban, though a little intensive, seems to be a decent method for |
9 |
> > avoiding unwanted SSH traffic while accepting trusted traffic. I |
10 |
> > have seen one deployment where it seems passably inconspicuous, at |
11 |
> > least. |
12 |
> > |
13 |
> > Alternately, if you run SSH on an unusual port, you're unlikely to |
14 |
> > see much Bot traffic. I would recommend this, if you're concerned, |
15 |
> > above port knocking myself -- relying on a complicated |
16 |
> > "pre-authentication" method rather than / in addition to a remote |
17 |
> > admin tool like SSH seems to be asking for problems. |
18 |
> |
19 |
> Do you mean problems in the form of hassles? |
20 |
|
21 |
Yeah, hassles and potential misconfiguration, because if anything goes |
22 |
wrong (rookie admin messes up knocking, for instance, on the |
23 |
server/firewall) you can't log in from home and fix it, you have to |
24 |
drive all the way out there to get in from the other side. |
25 |
|
26 |
Port knocking seems like a decent security method to me, especially if |
27 |
it was running on the firewall and opened ports only to the knocking IP |
28 |
-- in that case, it certainly wouldn't be obvious to any other computer |
29 |
that the port had been opened. |
30 |
|
31 |
However, I tend to think it is more trouble than it's worth, and has a |
32 |
tendency to make people think that they can be lazy about security |
33 |
because 'intruders would have to port knock anyway'. I tend to prefer |
34 |
strong firewalls, strong passwords, and, potentially, RSA certs or |
35 |
something to _really_ make sure. |
36 |
|
37 |
> So you're saying ssh |
38 |
> running on an unusual port is good enough? |
39 |
|
40 |
I'm no expert, but from my logs: SSH attempts (from bots in Shanghai |
41 |
and the like) on port 22 number in the thousands, unexpected SSH |
42 |
attempts on the nonstandard ports I run SSH on (actually it's |
43 |
firewall-level port forwarding) have not yet been logged. |
44 |
|
45 |
It's kind of an "obscuring for security" argument, but I think it's a |
46 |
good balance between goofy port knocking setups and just running plain |
47 |
old SSH on 22. |
48 |
|
49 |
Of course, Nothing is a replacement for strong password enforcement, |
50 |
and if the systems are important, I would probably require certificates |
51 |
as well. |
52 |
|
53 |
And again, I stress that I'm no expert. I have been using nonstandard |
54 |
ports and the Bots seem none the wiser, but I can still log in on those |
55 |
ports from any computer without having to aquire and configure port |
56 |
knocking clients. |
57 |
|
58 |
> > > As for printing from lpr to cups across the internet, I should be |
59 |
> > > encrypting that data shouldn't I? Nothing too sensitive but it |
60 |
> > > sounds like a good thing to do. It looks like cups can use ssl |
61 |
> > > but I don't see any mention of it in man lpr. |
62 |
> > |
63 |
> > SSH Tunneling and VPN come to mind too, but I must ask - what good |
64 |
> > is printing a physical document across the net, unless the printer |
65 |
> > is still only a little way away, and if so, what is it doing behind |
66 |
> > a public network? I am curious about this deployment. |
67 |
> |
68 |
> I'd be happy to tell you more but I'm not sure what you mean. "Still |
69 |
> only a little way away"? |
70 |
> |
71 |
|
72 |
Thinking of all the times I printed something, I cant think of many |
73 |
situations when I didn't have to walk over to the printer after |
74 |
printing, grab the printout, and carry it to the intended destination. |
75 |
|
76 |
I can imagine situations where you'd want to print invoices and the |
77 |
like at front offices or even remote storefronts and locations, but |
78 |
wouldn't you want a VPN up between your remote offices anyway? |
79 |
|
80 |
|
81 |
|
82 |
-- |
83 |
gentoo-user@l.g.o mailing list |