[Nottingham] Exposing our internal network
Dan Mackdermott
dan at inputlink.net
Thu Dec 1 21:39:30 GMT 2005
Hi Mike,
On Thu, 1 Dec 2005, Michael Leuty wrote:
> I'd be grateful for any helpful comments from you network gurus out there
> on the wet and wintry streets of Snotingaham.
<snip>
> I should be grateful for your comments on how risky it is to open ports 22
> and 80, and whether Firestarter provides adequate defence against script
> kiddies. (I take it for granted that the gurus on this list would be able
> to break in without working up a sweat. ;-)
> If we have accounts on the server with simple user names and passwords,
> are we running the risk of people being able to guess these
> names/passwords and then log on as that user through ssh?
Further to comments already sent/received, I would like to add that you
may also want to consider turning off password authentication altogether,
such that you can only get on with a key. Brute force attempts won't then
make a difference, they still can't get on.
If you ever consider having ftp on there as well, it is possible to put a
key under a user account to enable access over ssh. However, this can be
mitigated by some imaginative use of PAM and to only allow pre-authorised
users to login. e.g. The following line could be added into
/etc/pam.d/sshd...
auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail
You then create the file /etc/ssh/pam.sshd with a list of users that are
permitted to login over ssh. The net result is it doesn't matter if they
have a key or not, if they aren't on the list, they're not getting in! :-)
Have fun!
Cheers,
Dan
--
Dan Mackdermott RHCE (Director)
InputLink Consulting Ltd
http://www.inputlink.net
t: +44 (0)115 988 1700
m: +44 (0)7980 711 557
More information about the Nottingham
mailing list