Re: ssh login protection

[Burak Bilen <bilen () metu edu tr>]

You could try a two-tier approach. Put an external server(a Pentium-133 
is enough) between your mail servers and the world.
Then allow ssh access(disabling root access) to this external server 
from all of the world. And configure your mail servers that only the
external server is able to ssh your mail servers.

Edmund wrote:

> Hi,
>
> I was wondering if someone could clarify something for me.
> I often ssh into two mail servers from dialup(thus dynamic
> ip) at home.
>
> Right now, I specify which IPs that can ssh into the two
> machines but for dynamic IPs, I can't do that unless I
> go crazy and allow xx.xx.xx.xx/16, which is not very
> secure.  But due to the importance of me needing to ssh
> to the servers, I've been 'slacking' off the security
> and allowing a certain range of IPs (those that I'm
> certain are from my ISP at home).
> Can someone tell me if this is the appropriate way?
> Or do I allow any IPs from sshing?
>
>
> The reason why I'm asking is that I'll be taking
> a holiday and believe I'll also need to ssh to the
> mail servers.   I don't know the IPs ahead of
> time since where I'll be staying, it'll also be
> dynamically assigned.
>
> Is there a solution to this problem?  I don't
> want to open the servers to attacks from any
> SSH-related issues that crackers would take
> advantage of.
>
> Any help appreciated
>
>
>
>
>
> --------------------------------------------------------------------------- 
>
> ---------------------------------------------------------------------------- 




---------------------------------------------------------------------------
----------------------------------------------------------------------------