Server Security (was SSH attack)

Tom Buskey tom at buskey.name
Tue Dec 20 08:24:01 EST 2005 

On 12/19/05, Greg Rundlett <greg.rundlett at gmail.com> wrote:

>
> The environment I find myself in now is unlike ones that I'm used to.
> SSH is allowed for some hosts while not for others.  For most host
> access, you need to go through a single point of entry (sentry), and
> then ssh from there over the local network.  (There is both a
> front-end network 10.x.x.x for the hosted machines, and a backend
> network 10.y.y.y).  I'm still trying to understand what all this buys
> me in terms of security, but from my simple perspective of a


It's another layer.  One place I was at did that.  The SSH server was
rebooted every week to break external connections.


developer, it buys me a large level of complication with no usability.
> I am not really sure what tricks I need to get rsync to go from box C
> (desktop) to box B (sentry) to box A (host) because I' ve only gone
> from C->A in the past.


On C:
xterm -e 'ssh B -L 44001:A:22'
rsync -e "ssh -p 44001" /local-src-on-C localhost:/remote-dest-on-A


So "ssh -p 44001" localhost gets you to A


MySQL is not allowed for any external connection.  I can't use any
> database administration tools on the databases - because I have no
> direct access to the database server on any machine, and even
> installing a 'client' on the server won't work because I can't ssh -X
> to that particular box (and it's not running an X server).


ssh B -L 3306:MySQL_Server:3306  # assuming the MySQL server is reachable
from B

Now point your MySQL tools on your desktop at localhost and they get
forwarded to port 3306 on the MySQL server (which is MySQL)

Using this, you use the GUI on your desktop and the server doesn't have the
potential security holes, RAM and CPU usage introduced by a GUI.

 If B can get to everything internally, you can forward any TCP port you'd
like.

So, (I could easily be opining on things which I do not know enough
> about) according to what I know about thwarting script kiddies, and
> having good security measures while still providing critical services,
> it seems like it would be a 'best practice' approach to open SSHd and
> MySQLd to known IP address(es) using stong passwords, and non-standard
> ports.  Of course, this presumes having a hardened OS, secured MySQL
> server, and updated SSHd.
>
> Maybe it's time to go read that book about secure servers.
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
>



--
A strong conviction that something must be done is the parent of many bad
measures.
  - Daniel Webster
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20051220/ac387c50/attachment.html

More information about the gnhlug-discuss mailing list