| 1 |
> > > > Well thank you for that. I had planned on setting up port |
| 2 |
> > > > knocking for ssh and cups but I guess I'm just as well off |
| 3 |
> > > > leaving them listening on 22 and 631? |
| 4 |
> > > |
| 5 |
> > > Fail2Ban, though a little intensive, seems to be a decent method for |
| 6 |
> > > avoiding unwanted SSH traffic while accepting trusted traffic. I |
| 7 |
> > > have seen one deployment where it seems passably inconspicuous, at |
| 8 |
> > > least. |
| 9 |
> > > |
| 10 |
> > > Alternately, if you run SSH on an unusual port, you're unlikely to |
| 11 |
> > > see much Bot traffic. I would recommend this, if you're concerned, |
| 12 |
> > > above port knocking myself -- relying on a complicated |
| 13 |
> > > "pre-authentication" method rather than / in addition to a remote |
| 14 |
> > > admin tool like SSH seems to be asking for problems. |
| 15 |
> > |
| 16 |
> > Do you mean problems in the form of hassles? |
| 17 |
> |
| 18 |
> Yeah, hassles and potential misconfiguration, because if anything goes |
| 19 |
> wrong (rookie admin messes up knocking, for instance, on the |
| 20 |
> server/firewall) you can't log in from home and fix it, you have to |
| 21 |
> drive all the way out there to get in from the other side. |
| 22 |
> |
| 23 |
> Port knocking seems like a decent security method to me, especially if |
| 24 |
> it was running on the firewall and opened ports only to the knocking IP |
| 25 |
> -- in that case, it certainly wouldn't be obvious to any other computer |
| 26 |
> that the port had been opened. |
| 27 |
> |
| 28 |
> However, I tend to think it is more trouble than it's worth, and has a |
| 29 |
> tendency to make people think that they can be lazy about security |
| 30 |
> because 'intruders would have to port knock anyway'. I tend to prefer |
| 31 |
> strong firewalls, strong passwords, and, potentially, RSA certs or |
| 32 |
> something to _really_ make sure. |
| 33 |
> |
| 34 |
> > So you're saying ssh |
| 35 |
> > running on an unusual port is good enough? |
| 36 |
> |
| 37 |
> I'm no expert, but from my logs: SSH attempts (from bots in Shanghai |
| 38 |
> and the like) on port 22 number in the thousands, unexpected SSH |
| 39 |
> attempts on the nonstandard ports I run SSH on (actually it's |
| 40 |
> firewall-level port forwarding) have not yet been logged. |
| 41 |
> |
| 42 |
> It's kind of an "obscuring for security" argument, but I think it's a |
| 43 |
> good balance between goofy port knocking setups and just running plain |
| 44 |
> old SSH on 22. |
| 45 |
> |
| 46 |
> Of course, Nothing is a replacement for strong password enforcement, |
| 47 |
> and if the systems are important, I would probably require certificates |
| 48 |
> as well. |
| 49 |
> |
| 50 |
> And again, I stress that I'm no expert. I have been using nonstandard |
| 51 |
> ports and the Bots seem none the wiser, but I can still log in on those |
| 52 |
> ports from any computer without having to aquire and configure port |
| 53 |
> knocking clients. |
| 54 |
|
| 55 |
Sounds like I should forget port knocking and set up RSA certificates. |
| 56 |
|
| 57 |
> > > > As for printing from lpr to cups across the internet, I should be |
| 58 |
> > > > encrypting that data shouldn't I? Nothing too sensitive but it |
| 59 |
> > > > sounds like a good thing to do. It looks like cups can use ssl |
| 60 |
> > > > but I don't see any mention of it in man lpr. |
| 61 |
> > > |
| 62 |
> > > SSH Tunneling and VPN come to mind too, but I must ask - what good |
| 63 |
> > > is printing a physical document across the net, unless the printer |
| 64 |
> > > is still only a little way away, and if so, what is it doing behind |
| 65 |
> > > a public network? I am curious about this deployment. |
| 66 |
> > |
| 67 |
> > I'd be happy to tell you more but I'm not sure what you mean. "Still |
| 68 |
> > only a little way away"? |
| 69 |
> > |
| 70 |
> |
| 71 |
> Thinking of all the times I printed something, I cant think of many |
| 72 |
> situations when I didn't have to walk over to the printer after |
| 73 |
> printing, grab the printout, and carry it to the intended destination. |
| 74 |
> |
| 75 |
> I can imagine situations where you'd want to print invoices and the |
| 76 |
> like at front offices or even remote storefronts and locations, but |
| 77 |
> wouldn't you want a VPN up between your remote offices anyway? |
| 78 |
|
| 79 |
That's more or less what I'm trying to do. Is setting up a VPN |
| 80 |
between my remote server and local network overkill? I think the only |
| 81 |
thing I'd use it for is to hide the sending of these printouts. |
| 82 |
|
| 83 |
- Grant |
| 84 |
-- |
| 85 |
gentoo-user@l.g.o mailing list |
Archives