[Nottingham] Exposing our internal network

Dan Mackdermott dan at inputlink.net
Thu Dec 1 21:39:30 GMT 2005

Hi Mike,

On Thu, 1 Dec 2005, Michael Leuty wrote:
> I'd be grateful for any helpful comments from you network gurus out there
> on the wet and wintry streets of Snotingaham.


> I should be grateful for your comments on how risky it is to open ports 22
> and 80, and whether Firestarter provides adequate defence against script
> kiddies. (I take it for granted that the gurus on this list would be able
> to break in without working up a sweat.  ;-)
> If we have accounts on the server with simple user names and passwords,
> are we running the risk of people being able to guess these
> names/passwords and then log on as that user through ssh?

Further to comments already sent/received, I would like to add that you 
may also want to consider turning off password authentication altogether, 
such that you can only get on with a key.  Brute force attempts won't then 
make a difference, they still can't get on.

If you ever consider having ftp on there as well, it is possible to put a 
key under a user account to enable access over ssh.  However, this can be 
mitigated by some imaginative use of PAM and to only allow pre-authorised 
users to login.  e.g.  The following line could be added into 

auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail

You then create the file /etc/ssh/pam.sshd with a list of users that are 
permitted to login over ssh.  The net result is it doesn't matter if they 
have a key or not, if they aren't on the list, they're not getting in!  :-)

Have fun!



Dan Mackdermott RHCE (Director)
InputLink Consulting Ltd
t: +44 (0)115 988 1700
m: +44 (0)7980 711 557

More information about the Nottingham mailing list