[sclug] Home wireless lan

lug at assursys.co.uk lug at assursys.co.uk
Sat Oct 25 09:05:48 UTC 2003


On Fri, 18 Jul 2003, Tom Dawes-Gamble wrote:

> On Thu, 2003-07-17 at 23:16, Paul Vanlint wrote:
> 
> > 
> > All my internal machines are running ssh, listening on port 22. I configured
> > my NAT box to redirect a range of ports, e.g. 9000-9005 to port 22 on the
> > appropriate machines.
> > 
> 
> I'm not sure it's a good thing to leave all of the systems open for ssh
> from the big bad world outside.  It would be much better IMHO to have
> one system you ssh to and use that as a staging post to the other
> systems behind your firewall.

Agreed. I'm sure I remember buffer overflow exploits against open SSH
daemons (with no requirement to authenticate, even). I'd even go one further
and only allow SSH from source addresses that you're likely to use (i.e.
your employer's network, f'rinstance).

Going one step further, and you're looking at token-based authentication
such as SecurID.

Best Regards,
Alex.
-- 
Alex Butcher      Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                      Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                         <http://www.assursys.com/>



More information about the Sclug mailing list