Re: Remote Access to Staff Desktops

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Wed, 18 Feb 2009 09:14:52 CST, Mark Monroe said:
> We allow it only through VPN. For Users who say they need ssh open
> without vpn, they can have it open only if they implement technology on
> their box that will blacklist  any ip  address after  3 failed attempts
> and any ip address that  tries to use root. I have not opened any yet
> outside systems run by core IT staff. I guess they didn't really need it.

Or they really *did* need it, but they ran into troubles deploying your
requirements, gave up, and are now fulfilling their business need with
some cobbled-up scheme involving storing their data on some offsite server
you have absolutely no administrative control over... ;)

(I've seen more than one "block any address that tries to use root" go badly
astray when the sysadmin accidentally tried to ssh to the other box from an
'su' window on their local box, and then was of course unable to connect to the
remote box to fix the problem.  Of course, at that point, they were *also*
unable to fix the *other* problem which was the reason they were ssh'ing to the
box in the first place. Anybody want to guess what happened to that code
as soon as that sysadmin *was* able to login? ;)

Attachment: _bin
Description: