Educause Security Discussion mailing list archives

Re: How do you all handle SSH access to campus resources?

From: David Shettler <dshettle () HOLYCROSS EDU>
Date: Sun, 8 May 2005 06:32:21 -0400

We're allowing ssh into a gateway system in a DMZ, where they can then
hop around/tunnel etc.  We're also limiting access to key authentication
only -- reduces our problems with brute force drastically.  There are a
couple exceptions, but those exceptions are in their own isolated DMZ
(faculty members with projects requiring external access, etc.).  We
treat them as if they were an external entity from a security
perspective.  We're going the VPN route, but for admins only, the rest
of the world will continue to get in via their keys.

David C. Shettler - GCFA
Senior Technical Services Engineer
College of the Holy Cross
508-793-3073

Michael.Horne () OLIN EDU 05/04/05 11:22 AM >>>

Hello,

First time poster here looking for some info on how Universities and
others handle SSH access to there campus and how restrictive it is
configured.
I have been following the SSH thread and this aspect has not come up to
date. By the way we have implemented some of the recommendations posted.
Thanks!

Background here is we are a small college with 200+ students and 75+
faculty members IT is made up by 15 people and we do it all, I am the
network / security eng.
Currently we have a single SSH gateway on a DMZ.
We allow connections from the internet and are allowing port forwarding
through the gateway to internal resources.
We have as you all have been spam'd by the number of brute force
attempts into our systems.
I have been tasked with trying to cut down the allowed source IP's and
was wondering how and if any of you have any luck with global blocking
of ranges from known abuse sources for SSH access?
I.e... Anyone have any luck with blocking APNIC ranges for home cable
modem users which seems to be a large source of the brute force
attempts?

Any info would be greatly appreciated.

Thanks
Mike

Michael Horne
Network Engineer
Olin College
Olin Way Needham, MA 02492
781-292-2438

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

Current thread:

How do you all handle SSH access to campus resources? Michael Horne (May 04)
- <Possible follow-ups>
- Re: How do you all handle SSH access to campus resources? Chad McDonald (May 04)
- Re: How do you all handle SSH access to campus resources? Jeff Kell (May 04)
- Re: How do you all handle SSH access to campus resources? Michael Horne (May 04)
- Re: How do you all handle SSH access to campus resources? David Shettler (May 08)