Re: Securing SSH

[security <security () kalamiteit nl>]

hi,
you can of course allow a whole range / a domain to access a running 
service on your system through your /etc/hosts.allow, also you can add 
something like a "backdoor" that you have to trigger to get access to 
your machine, i find tools like SAdoor pretty nice ( 
http://cmn.listprojects.darklab.org/ ).
" /etc/hosts.allow

sshd: LOCAL, .some.domain.org xxx.xxx.xxx.xxx XXX.XXX.XxX.XXX
"
that should allow your engineers that use dial up  to always be able to 
log on, as their host will still be "something.some.domain.org"  of 
course that gives access to all the ppl using that isp, but how many ppl 
do NOT use it. also try to use some hostname for your ip, like.. 
register a hostname that points to your IP, and if the ISP changes your 
IP, you will always be able to change it..
let me explain, your IP is 123.123.123.123  you got a domain that points 
to that ip let's say "home.host.org"(which is allowed in the 
/etc/hosts.allow),  if the ISP changes the ip, you only need to tell 
"home.host.org"  to point to the new ip, and you will be able to access 
your machine again! 
i hope you understand what i mean, as it is late  here and i am pretty 
tired !

cheers
Amine
Roland Venter wrote:

> I need to manage several servers remotely via SSH, I'm interested in ways to
> secure the connection and prevent unauthorised access.
>
> My thoughts:
> Limit access to only allow remote connections from our management network
> via iptables rules. Works but what if our ISP changes our fixed IP, which
> means we are effectively locked out from all the servers and requires a site
> visit to update the rules.
>
> We also need to provide access to engineers working from home using dialup,
> etc
>
> Some sort of client certificates to supplement username and password,
>
> Recommendations on securing the SSH daemon etc
>
> Any ideas and tips or random thoughts appreciated
>
> Cheers,
> Roland
>
>
>
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
> course! All of our class sizes are guaranteed to be 10 students or less. 
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
> and many other technical hands on courses. 
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
> any course!  
> ----------------------------------------------------------------------------
>
>  



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------