FC6 VPN
Jim Douglas
jdz99 at hotmail.com
Tue Dec 19 22:13:26 UTC 2006
>From: James Wilkinson <fedora at aprilcottage.co.uk>
>Reply-To: For users of Fedora <fedora-list at redhat.com>
>To: fedora-list at redhat.com
>Subject: Re: FC6 VPN
>Date: Tue, 19 Dec:23:23 +0000
>
>Jim Douglas wrote:
>
> > VPN w/ SSH is overkill I think, all I need is to securely access a
>remote
> > box...from Windows Client -> Linux Server.
>
>Very often that will involve PuTTY. PuTTY also makes tunnelling very
>easy, and is a *very* good terminal emulator.
>
> > I think I found the answer,
> > http://freenx.berlios.de/
> >
> > I have SSH up and running, anyone have any good links to securing my SSH
> > configuration?
>
>1. Stick to SSH 2 (in /etc/ssh/sshd_config, use the Protocol keyword)
>2. Set up private keys and disable password-based logins
>3. Changing the port that SSH listens on will not deter a determined
> attacker, but may help you work out that you've got a determined
> attacker.
>4. Make sure you run yum update regularly.
>5. Use AllowUsers or AllowGroups to limit which users can log on
> remotely. Don't allow direct root logins -- get users to login as
> themselves and su - (this means attackers have to work out which
> usernames are valid).
>6. If you must use passwords, make sure they're not dictionary words and
> include at least one (better, several) numbers or symbols.
>7. Distribute the server public keys via trusted networks -- don't trust
> the client's ability to "learn" the server's key when it first
> connects, since you don't know that the remote computer really *is*
> your server.
>
>But really, there's not much securing needed with SSH. It's only really
>vulnerable to a security bug at either end, a dictionary attack, a
>man-in-the-middle attack during the first connection, or some new,
>unknown mathematics.
>
>Hope this helps,
>
>James.
>
>--
>E-mail: james@ | For every complex problem, there is a solution that is
>aprilcottage.co.uk | simple, neat, and wrong.
>
>--
>fedora-list mailing list
>fedora-list at redhat.com
>To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
I saw PuTTY, it won't do everything I need....thanks for the feedback,
One final question...
I can connect to port 22 inside the firewall and I don't want to create any
holes. Can you see any problems with adding this to iptables?
iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 22 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
_________________________________________________________________
Fixing up the home? Live Search can help
http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmemailtaglinenov06&FORM=WLMTAG
More information about the fedora-list
mailing list