> I am not sure. The idea is to protect the inner system. It may be > that a simple port forwarding would accomplish that but I am not sure > I can convince my boss. If I were to do a simple port forwarding this
In that case ... Keep your sshd up to date. As long as you do this, sshd is a very reliable good protocol nearly impossible for anyone to hack via any means other than "blatant server misconfiguration" or "stupid user". Disallow root login via ssh. Root is the only username that's pretty well guaranteed to exist on every machine, and 99% of the time, an inbound ssh attack would be an unintelligent root brute force (you can validate this just by looking at your logs occasionally). At one point, I enabled super-verbose-debug sshd to allow me to see the failed usernames & passwords in the log, and it's really dumb, like "root/password" and "root/admin" and "root/root" etc. Enforce a password complexity requirement. In my case, I have linux authenticate against AD via kerberos, where it's really easy to have a strong password policy. If possible, include a 2nd level of authentication, such as "both ssh key and password required" or "password and secureid required" or something like that, which makes any brute force attempt or stupid user preying irrelevant too. Does anybody have any comments on how to do this? And then, simply open port 22 to the internet. Whenever I've done this, I have occasionally seen brute force attacks come in and get correctly consistently denied - but it can still drive 100% cpu usage on the server and/or heavy network traffic. So I also like to run sshd on a nonstandard port. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
