gnhlug-discuss digest, Vol 1 #1694 - 1 msg
Bruce Dawson
jbd at codemeta.com
Mon Dec 19 13:46:00 EST 2005
Joseph wrote:
> Does this SSH server face the internet? Is there a stand alone
firewall in front of this ssh server (and I don't mean Iptables on the
machine)? Why no IPSEC or SSL VPN instead? As for the SSH blacklisting
check out this http://www.pettingers.org/code/sshblack.html
After several years of managing systems on the internet, I've learned a
few things...
* Have dual bastion routers/hosts.
* Firewall the DMZ.
* Maintain the honeypot.
* Monitor the log files.
* If you must have a backdoor, make sure it moves around. A lot.
* Don't do anything obvious (like use standard ports).
* Stay away from the newer standards (like IPSEC, OpenVPN, ...) They
frequently have bugs that noone knows about at the moment, and
that someone exploits when you can least afford it.
* Code-review the old stuff - to the extent that you know how it
works internally, and you've found at least 5 bugs.
sshblack looks like a good idea, but I can't figure out if its
dynamically updated or not (at least, not without reading the code,
which I don't have time for at the moment.)
--Bruce
More information about the gnhlug-discuss
mailing list