1 |
> > > > Well thank you for that. I had planned on setting up port |
2 |
> > > > knocking for ssh and cups but I guess I'm just as well off |
3 |
> > > > leaving them listening on 22 and 631? |
4 |
> > > |
5 |
> > > Fail2Ban, though a little intensive, seems to be a decent method for |
6 |
> > > avoiding unwanted SSH traffic while accepting trusted traffic. I |
7 |
> > > have seen one deployment where it seems passably inconspicuous, at |
8 |
> > > least. |
9 |
> > > |
10 |
> > > Alternately, if you run SSH on an unusual port, you're unlikely to |
11 |
> > > see much Bot traffic. I would recommend this, if you're concerned, |
12 |
> > > above port knocking myself -- relying on a complicated |
13 |
> > > "pre-authentication" method rather than / in addition to a remote |
14 |
> > > admin tool like SSH seems to be asking for problems. |
15 |
> > |
16 |
> > Do you mean problems in the form of hassles? |
17 |
> |
18 |
> Yeah, hassles and potential misconfiguration, because if anything goes |
19 |
> wrong (rookie admin messes up knocking, for instance, on the |
20 |
> server/firewall) you can't log in from home and fix it, you have to |
21 |
> drive all the way out there to get in from the other side. |
22 |
> |
23 |
> Port knocking seems like a decent security method to me, especially if |
24 |
> it was running on the firewall and opened ports only to the knocking IP |
25 |
> -- in that case, it certainly wouldn't be obvious to any other computer |
26 |
> that the port had been opened. |
27 |
> |
28 |
> However, I tend to think it is more trouble than it's worth, and has a |
29 |
> tendency to make people think that they can be lazy about security |
30 |
> because 'intruders would have to port knock anyway'. I tend to prefer |
31 |
> strong firewalls, strong passwords, and, potentially, RSA certs or |
32 |
> something to _really_ make sure. |
33 |
> |
34 |
> > So you're saying ssh |
35 |
> > running on an unusual port is good enough? |
36 |
> |
37 |
> I'm no expert, but from my logs: SSH attempts (from bots in Shanghai |
38 |
> and the like) on port 22 number in the thousands, unexpected SSH |
39 |
> attempts on the nonstandard ports I run SSH on (actually it's |
40 |
> firewall-level port forwarding) have not yet been logged. |
41 |
> |
42 |
> It's kind of an "obscuring for security" argument, but I think it's a |
43 |
> good balance between goofy port knocking setups and just running plain |
44 |
> old SSH on 22. |
45 |
> |
46 |
> Of course, Nothing is a replacement for strong password enforcement, |
47 |
> and if the systems are important, I would probably require certificates |
48 |
> as well. |
49 |
> |
50 |
> And again, I stress that I'm no expert. I have been using nonstandard |
51 |
> ports and the Bots seem none the wiser, but I can still log in on those |
52 |
> ports from any computer without having to aquire and configure port |
53 |
> knocking clients. |
54 |
|
55 |
Sounds like I should forget port knocking and set up RSA certificates. |
56 |
|
57 |
> > > > As for printing from lpr to cups across the internet, I should be |
58 |
> > > > encrypting that data shouldn't I? Nothing too sensitive but it |
59 |
> > > > sounds like a good thing to do. It looks like cups can use ssl |
60 |
> > > > but I don't see any mention of it in man lpr. |
61 |
> > > |
62 |
> > > SSH Tunneling and VPN come to mind too, but I must ask - what good |
63 |
> > > is printing a physical document across the net, unless the printer |
64 |
> > > is still only a little way away, and if so, what is it doing behind |
65 |
> > > a public network? I am curious about this deployment. |
66 |
> > |
67 |
> > I'd be happy to tell you more but I'm not sure what you mean. "Still |
68 |
> > only a little way away"? |
69 |
> > |
70 |
> |
71 |
> Thinking of all the times I printed something, I cant think of many |
72 |
> situations when I didn't have to walk over to the printer after |
73 |
> printing, grab the printout, and carry it to the intended destination. |
74 |
> |
75 |
> I can imagine situations where you'd want to print invoices and the |
76 |
> like at front offices or even remote storefronts and locations, but |
77 |
> wouldn't you want a VPN up between your remote offices anyway? |
78 |
|
79 |
That's more or less what I'm trying to do. Is setting up a VPN |
80 |
between my remote server and local network overkill? I think the only |
81 |
thing I'd use it for is to hide the sending of these printouts. |
82 |
|
83 |
- Grant |
84 |
-- |
85 |
gentoo-user@l.g.o mailing list |