[svlug] Firewalls?

Don Marti dmarti at zgp.org
Wed Jan 24 19:01:00 PST 2007


begin Brian J. Tarricone quotation of Wed, Jan 24, 2007 at 12:19:42PM -0800:
> 
> Don Marti wrote:
> 
> > Some ways to lower the risk from this person [doing a stealth scan]
> > are
> [...]
> > (3) use both ssh configuration and
> > local firewall rules to enforce a policy of "don't accept ssh
> > connections from hosts that themselves accept incoming ssh"
> 
> Could you explain this one?  I don't understand the security benefit,
> and I see a practical problem: many (most?) of the hosts I ssh from
> themselves have sshd running (because I [and others] often ssh to them
> when I'm in other locations).  So this policy would either mean I'd have
> to maintain a whitelist, or shut down the local ssh daemon whenever I
> want to access a host implementing your recommendation.

It's safest to keep ssh private keys (or any private
keys, really) only on machines that don't have any
kind of remote access.

What you don't want is someone compromising your web
server, then getting to your database server because
you ssh from the web server to the database server
before you knew the web server was compromised.

-- 
Don Marti                    
http://zgp.org/~dmarti/
dmarti at zgp.org




More information about the svlug mailing list