[sclug] Home wireless lan
Bob Franklin
r.c.franklin at reading.ac.uk
Sat Oct 25 09:05:48 UTC 2003
On Fri, 18 Jul 2003 lug at assursys.co.uk wrote:
> > I'm not sure it's a good thing to leave all of the systems open for
> > ssh from the big bad world outside. It would be much better IMHO to
> > have one system you ssh to and use that as a staging post to the other
> > systems behind your firewall.
>
> Agreed. I'm sure I remember buffer overflow exploits against open SSH
> daemons (with no requirement to authenticate, even). I'd even go one
> further and only allow SSH from source addresses that you're likely to
> use (i.e. your employer's network, f'rinstance).
Indeed.
I have one box with SSH on it - it's running on a non-standard port and
only accepts authentication using keys (rather than normal
account/password).
With that, I can forward connections with SSH port forwarding to (e.g.)
Windows boxes running Terminal Services (get the updated Microsoft client
and you can specify a port number) and web servers.
I don't restrict the IP address because I never know where I'm coming in
from (e.g. once it was someone's wireless LAN in New York that they
hadn't secured and I could pick up the signal from my hotel window).
- Bob
--
Bob Franklin <r.c.franklin at reading.ac.uk> +44 (0)118 378 6630
Systems and Communications, IT Services, The University of Reading, UK
More information about the Sclug
mailing list