| 1 |
On Sun, 3 Feb 2008 07:27:12 -0800 |
| 2 |
Grant <emailgrant@×××××.com> wrote: |
| 3 |
|
| 4 |
> > > Well thank you for that. I had planned on setting up port |
| 5 |
> > > knocking for ssh and cups but I guess I'm just as well off |
| 6 |
> > > leaving them listening on 22 and 631? |
| 7 |
> > |
| 8 |
> > Fail2Ban, though a little intensive, seems to be a decent method for |
| 9 |
> > avoiding unwanted SSH traffic while accepting trusted traffic. I |
| 10 |
> > have seen one deployment where it seems passably inconspicuous, at |
| 11 |
> > least. |
| 12 |
> > |
| 13 |
> > Alternately, if you run SSH on an unusual port, you're unlikely to |
| 14 |
> > see much Bot traffic. I would recommend this, if you're concerned, |
| 15 |
> > above port knocking myself -- relying on a complicated |
| 16 |
> > "pre-authentication" method rather than / in addition to a remote |
| 17 |
> > admin tool like SSH seems to be asking for problems. |
| 18 |
> |
| 19 |
> Do you mean problems in the form of hassles? |
| 20 |
|
| 21 |
Yeah, hassles and potential misconfiguration, because if anything goes |
| 22 |
wrong (rookie admin messes up knocking, for instance, on the |
| 23 |
server/firewall) you can't log in from home and fix it, you have to |
| 24 |
drive all the way out there to get in from the other side. |
| 25 |
|
| 26 |
Port knocking seems like a decent security method to me, especially if |
| 27 |
it was running on the firewall and opened ports only to the knocking IP |
| 28 |
-- in that case, it certainly wouldn't be obvious to any other computer |
| 29 |
that the port had been opened. |
| 30 |
|
| 31 |
However, I tend to think it is more trouble than it's worth, and has a |
| 32 |
tendency to make people think that they can be lazy about security |
| 33 |
because 'intruders would have to port knock anyway'. I tend to prefer |
| 34 |
strong firewalls, strong passwords, and, potentially, RSA certs or |
| 35 |
something to _really_ make sure. |
| 36 |
|
| 37 |
> So you're saying ssh |
| 38 |
> running on an unusual port is good enough? |
| 39 |
|
| 40 |
I'm no expert, but from my logs: SSH attempts (from bots in Shanghai |
| 41 |
and the like) on port 22 number in the thousands, unexpected SSH |
| 42 |
attempts on the nonstandard ports I run SSH on (actually it's |
| 43 |
firewall-level port forwarding) have not yet been logged. |
| 44 |
|
| 45 |
It's kind of an "obscuring for security" argument, but I think it's a |
| 46 |
good balance between goofy port knocking setups and just running plain |
| 47 |
old SSH on 22. |
| 48 |
|
| 49 |
Of course, Nothing is a replacement for strong password enforcement, |
| 50 |
and if the systems are important, I would probably require certificates |
| 51 |
as well. |
| 52 |
|
| 53 |
And again, I stress that I'm no expert. I have been using nonstandard |
| 54 |
ports and the Bots seem none the wiser, but I can still log in on those |
| 55 |
ports from any computer without having to aquire and configure port |
| 56 |
knocking clients. |
| 57 |
|
| 58 |
> > > As for printing from lpr to cups across the internet, I should be |
| 59 |
> > > encrypting that data shouldn't I? Nothing too sensitive but it |
| 60 |
> > > sounds like a good thing to do. It looks like cups can use ssl |
| 61 |
> > > but I don't see any mention of it in man lpr. |
| 62 |
> > |
| 63 |
> > SSH Tunneling and VPN come to mind too, but I must ask - what good |
| 64 |
> > is printing a physical document across the net, unless the printer |
| 65 |
> > is still only a little way away, and if so, what is it doing behind |
| 66 |
> > a public network? I am curious about this deployment. |
| 67 |
> |
| 68 |
> I'd be happy to tell you more but I'm not sure what you mean. "Still |
| 69 |
> only a little way away"? |
| 70 |
> |
| 71 |
|
| 72 |
Thinking of all the times I printed something, I cant think of many |
| 73 |
situations when I didn't have to walk over to the printer after |
| 74 |
printing, grab the printout, and carry it to the intended destination. |
| 75 |
|
| 76 |
I can imagine situations where you'd want to print invoices and the |
| 77 |
like at front offices or even remote storefronts and locations, but |
| 78 |
wouldn't you want a VPN up between your remote offices anyway? |
| 79 |
|
| 80 |
|
| 81 |
|
| 82 |
-- |
| 83 |
gentoo-user@l.g.o mailing list |
Archives