Educause Security Discussion mailing list archives
Re: Remote Access to Staff Desktops
From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Sun, 22 Feb 2009 14:28:33 -0500
I couldn't agree more. We do this sort of restriction on anything since I've been in this postition the last few years, but unfortunately on older systems whose birth preceded enforced concerns about security many people used this for websites and other access, it's been harder to get users trained and weaned off the old process. As a result for those few remaining systems, I'm retiring this practice by attrition as users are migrated to a new server where they can be given new processes (and training) and they are by virtue of the change to the "new server" somewhat more psychologically tractable. D/C The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes:
On Fri, 20 Feb 2009 08:29:22 EST, Dexter Caldwell said:I severely limit ssh access form off-campus, however, we have somelegacysystems where access is historical or where we've granted it. We constantly get ssh brute force attacks on these servers. The best thing I've done to shut this down is use an ssh brute force signature on theipsto terminate these attemps. It's been quite successful and usershaven'tnoticed the change.Something that *way* too few sites bother doing is restricting SSH access up front, if possible. We've have very good success on some of our systems where only a few people needed ssh into the box, of restricting inbound with iptables to only allow the 2 /16s of on-campus addresses, and then identify the /16 each person was likely to land in from their at-home cablemodem or DSL line. No ssh brute forces to worry about, because the chances of the brute-forcer being in the same /16 as our user are vanishingly small... This has the *added* benefit of *also* blocking any non-brute-force ssh attacks, like if somebody finds a 0day. Suddenly, the attacker has to be in one of the 3 or 4 /16s that can get to the box, and attacking from Moldavia or someplace no longer works...
Current thread:
- Re: Remote Access to Staff Desktops, (continued)
- Re: Remote Access to Staff Desktops Greg Francis (Feb 18)
- Re: Remote Access to Staff Desktops Stanclift, Michael (Feb 18)
- Re: Remote Access to Staff Desktops Valdis Kletnieks (Feb 19)
- Re: Remote Access to Staff Desktops Dexter Caldwell (Feb 20)
- Re: Remote Access to Staff Desktops Himes, Daniel (Feb 20)
- Re: Remote Access to Staff Desktops Hammond, Stanley (Feb 20)
- Re: Remote Access to Staff Desktops Scott Dier (Feb 20)
- Re: Remote Access to Staff Desktops Miller, Don C. (Feb 20)
- Re: Remote Access to Staff Desktops James R. Pardonek (Feb 20)
- Re: Remote Access to Staff Desktops Valdis Kletnieks (Feb 21)
- Re: Remote Access to Staff Desktops Dexter Caldwell (Feb 22)
- Re: Remote Access to Staff Desktops Avdagic, Indir (Feb 23)
- Re: Remote Access to Staff Desktops Hugh Burley (Feb 25)