I run 2 ssh daemons. One on port 22 for local network access only, with password authentication enabled and no restriction on users. The other is on a higher port and is for WAN access only, with password authentication disabled and users restricted to the admins and the user that runs my over-the-internet backups.
In reality, I only have one network card and both ssh daemons are capable of listening from any address. However my firewall blocks inbound port 22 from the internet, but allows inbound access on the higher ssh port. -Rob Timothy Legge wrote: > Hi > > Just a couple of notes on my recent implementation of Ubuntu with LTSP > 5. The progress on sound, local devices etc is amazing compared to my > first FC1 based install. Most things just work in initial testing but > I am sure the users will find issues when they start looking. > > I did run into a few gotchas for server hardening though: > > 1) Clients run over ssh so the typical things that I configure caused > issues, notably: > a) AllowUsers > b) Changing the default port from 22 to something else > 2) Running Bastille Unix to lock down the server disabled tftp and > changed the permissions on tcpd changing them bak to the original with > all other settings > 3) denyhosts with LTSP is problematic because incorrect passwords on > the terminals will cause them to be locked out > 4) Locking down FireFox 3 proxy settings is a little annoying. The > script I normally use works but I need to manually copy a firefox.cfg > to the firefox directory. I need to look to see if there is a newer > version. > 5) I have one client that seems to rev up when using flash that I need > to look at (the fans kick in and it makes a heck of a noise) > > I will probably look into whether denyhosts can ignore the terminal > network and whether it makes sense to run two ssh daemons one internal > and one external. > > Does anyone else have server hardening processes that you use for LTSP? > > Tim > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _____________________________________________________________________ > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > For additional LTSP help, try #ltsp channel on irc.freenode.net ******************************************************** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this transmission in error please notify the sender immediately and then delete this e-mail. E-mail transmission cannot be guaranteed to be secure or error free as information could be intercepted, corrupted lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard copy version. ******************************************************** ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
