Hi, From a security point of view, your best shot is to use port knocking and one time passwords. Port Knocking will keep your server without open ports available for possible attacks and the one time passwords are a very secure way to send passwords even in plaintext. After that you can use your common techniques (not using root, using keys with passphrases in encrypted usb devices all all your paranoia can think of)
If the machine is a common target of attacks then just open the ports you need (80 and 443 for apache if it's a LAMP machine), setup port knocking in high ports, even ssh running at high ports and tarpit all the others (tarpit is one very interesting option of iptables when compiled with the extensions use flag). This way a simple port scan will leave the attacker with the machine almost impossible to use, and setting the non tarpit closed ports for port knocking to work in high numbered ports means there's less chance of a port scan find them just closed and not tarpitted. I dunno if port knocking works with tarpitted ports, if it does it's even better. The problems with this setup are: - Port Knocking needs extra software to work, although very simple, you can write a wrapper around ssh client in minutes - one time passwords needs you to keep a list of passwords, all the dangers associated with that - instalation of this setup in a remote machine is very likely to go wrong and need phisical access. Good luck. Ricardo Loureiro On Thursday 12 October 2006 03:01, Peter Abrahamsen wrote: > Hi list, > > I'm looking for some opinions for a security decision. I need to > enable remote administrative access to critical systems living about > 3-4 hours from me and in another country. The systems will be running > LAMP, more or less. > > Which is a better idea, allowing key-only root access, or ssh'ing in > as myself and running su/sudo/whatever? Either way, I'll set up > iptables so that connection attempts from anywhere other than my > office are -j DROP'ed. > > Thanks, > > Peter
pgpLafIkI6ecT.pgp
Description: PGP signature
