You are not logged in.
Hi,
Was thinking of running Arch on one of my servers at home and open up for SSH in the router (portforward) to the arch server.
If I only run a basic archinstall with samba and a sshdaemon its kinda safe right?
I know the threat is always higher if you have more services running on the box but will only hold samba for local filesharing and ssh to connect to the server from my work!
[ logicspot.NET | mempad.org ]
Archlinux x64
Offline
1. Run it on a non-standard port such as 2222 or 1022 etc.
2. Disable root login
3. Allow connections only from certain source addresses if possible.
4. Use key based authentication instead of passwords.
I run several Arch servers exposed to the internet with the above precautions and never had a problem.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
And a nice firewall that closes up all possible holes (not just inbound traffic, also outbound traffic). You can't lock that stuff down enough .
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
I also like to put an "AllowGroup sshusers" into sshd_config, that way only users in that group can do a remote login.
[git] | [AURpkgs] | [arch-games]
Offline
Thx guys, many suggestions...
Just one thought...what is key based authentication?
[ logicspot.NET | mempad.org ]
Archlinux x64
Offline
I also like to put an "AllowGroup sshusers" into sshd_config, that way only users in that group can do a remote login.
Ah yes, I knew there was one I forgot, thanks
Thx guys, many suggestions...
Just one thought...what is key based authentication?
http://www.ibm.com/developerworks/library/l-keyc.html
http://pkeck.myweb.uga.edu/ssh/
Last edited by fukawi2 (2009-05-27 23:07:34)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Port-knocking is a must i think. Simple to setup. of course, you'd need other security too
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
Port-knocking is a must i think. Simple to setup. of course, you'd need other security too
Certainly another tool on the belt, but I wouldn't call it a must. Disallowing root login is a must.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
ngoonee wrote:Port-knocking is a must i think. Simple to setup. of course, you'd need other security too
Certainly another tool on the belt, but I wouldn't call it a must. Disallowing root login is a must.
changing the port too, or you will end up with hundreds of megabytes of failed logins in auth.log
btw can i set iptables to run a program/script when a packet matches a rule (passing source ip+port preferably)?
☃ Snowman ☃
Offline
No... That would be a very quick way for someone to DoS your server.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline