I second the Open VPN approach, if you can spare a box of any sort for a serious firewall, look at pfsense.org it was really easy to set up and has some other additions that kicks the ass out of my old Cisco PIX Firewall (and the newer ASA).
Stuff like: Failover WAN Traffic Shaping Traffic Monitoring/Logging via transparent proxy Caching including Youtube videos via the same proxy On the fly virus scanning -----Original Message----- From: [email protected] on behalf of Kevin Miller Sent: Sun 25/11/2012 23:32 To: User discussion about the Rivendell Radio Automation System Subject: Re: [RDD] security breach On 11/25/2012 10:51 AM, James Harrison wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Best approach is not to use passwords - SSH keys are simple to set up > and you can disable password authentication in sshd, which makes your > system practically uncrackable. Took the words right out of my mouth. The other thing I like to do is disable ssh 1 and ssh to root. If you need root access from afar, ssh to a non-privileged account then "su -" to gain root. > Fail2ban is also an excellent program to run - it will automatically > block in iptables anything that fails to login more than a few times, > which stops most automated bots. As a further step, you could set up an openVPN server and not expose your rivendell box to inbound internet traffic at all. You create a tunnel to the openVPN server then you're 'local' and can ssh to the rd host. Linux Journal had a great three part write-up on this a few years back in the Paranoid Penguin column. (The ssh/openVPN part, not the rivendell part.) Best of luck with the cleanup... ...Kevin -- Kevin Miller - http://www.alaska.net/~atftb Juneau, Alaska In a recent survey, 7 out of 10 hard drives preferred Linux Registered Linux User No: 307357, http://linuxcounter.net _______________________________________________ Rivendell-dev mailing list [email protected] http://lists.rivendellaudio.org/mailman/listinfo/rivendell-dev ####################### Scanned by MailMarshal ####################### ############ Attention: The information contained in this message is confidential and intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Christian Vision or any of its subsidiaries will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. Please note that we reserve the right to monitor and read any e-mails sent or received by the company under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulation 2000. Christian Vision is registered in England as a limited company 2842414 and as a charity 1031031 ############
<<winmail.dat>>
_______________________________________________ Rivendell-dev mailing list [email protected] http://lists.rivendellaudio.org/mailman/listinfo/rivendell-dev
