Educause Security Discussion mailing list archives
Re: How do you all handle SSH access to campus resources?
From: David Shettler <dshettle () HOLYCROSS EDU>
Date: Sun, 8 May 2005 06:32:21 -0400
We're allowing ssh into a gateway system in a DMZ, where they can then hop around/tunnel etc. We're also limiting access to key authentication only -- reduces our problems with brute force drastically. There are a couple exceptions, but those exceptions are in their own isolated DMZ (faculty members with projects requiring external access, etc.). We treat them as if they were an external entity from a security perspective. We're going the VPN route, but for admins only, the rest of the world will continue to get in via their keys. David C. Shettler - GCFA Senior Technical Services Engineer College of the Holy Cross 508-793-3073
Michael.Horne () OLIN EDU 05/04/05 11:22 AM >>>
Hello, First time poster here looking for some info on how Universities and others handle SSH access to there campus and how restrictive it is configured. I have been following the SSH thread and this aspect has not come up to date. By the way we have implemented some of the recommendations posted. Thanks! Background here is we are a small college with 200+ students and 75+ faculty members IT is made up by 15 people and we do it all, I am the network / security eng. Currently we have a single SSH gateway on a DMZ. We allow connections from the internet and are allowing port forwarding through the gateway to internal resources. We have as you all have been spam'd by the number of brute force attempts into our systems. I have been tasked with trying to cut down the allowed source IP's and was wondering how and if any of you have any luck with global blocking of ranges from known abuse sources for SSH access? I.e... Anyone have any luck with blocking APNIC ranges for home cable modem users which seems to be a large source of the brute force attempts? Any info would be greatly appreciated. Thanks Mike Michael Horne Network Engineer Olin College Olin Way Needham, MA 02492 781-292-2438 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- How do you all handle SSH access to campus resources? Michael Horne (May 04)
- <Possible follow-ups>
- Re: How do you all handle SSH access to campus resources? Chad McDonald (May 04)
- Re: How do you all handle SSH access to campus resources? Jeff Kell (May 04)
- Re: How do you all handle SSH access to campus resources? Michael Horne (May 04)
- Re: How do you all handle SSH access to campus resources? David Shettler (May 08)