LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How do you configure machine seucurely that mortals can log into? (http://www.linuxquestions.org/questions/linux-security-4/how-do-you-configure-machine-seucurely-that-mortals-can-log-into-320096/)

maxque 05-04-2005 01:52 PM

How do you configure machine seucurely that mortals can log into?
 
hello:

I am maintaining a linux server for a friend who will be traveling for up to two years. He does photography and also maintains his own web log for. He had coded the html himself. He wants the independence of his own server because there are no content restriction or space restrictions.

The problem is this: I need a way to allow him to log in remotely from places which will not have sophisticated computers. Mostly he will have access only to Windows and Putty. Carrying around public and private keys and loading them on strange computers around the country/world is just not workable. Right now ssh is becoming more and more paranoid and the required security just goes up. I would love to reduce the security level on ssh but this seems really difficult.

What good is a machine if you can't log in to it? I need sane workable security, not perfect security! Any suggestions?

maxque

msound 05-04-2005 01:59 PM

what will he be doing on the server while he's logged in? if hes just going to be uploading new web content and pictures then i would just have him do it through php/apache.

have him setup a password protected directory on his website that contains a page that will allow him to upload pictures through http. that will keep all of your backdoor services (ssh, telnet, ftp) secure, and itll be an easy way for him to add new content to his site from any computer with internet access.

you should be able to find a cool file upload script at hotscripts.com. of course this is all assuming he has php/apache installed on his server.

maxque 05-04-2005 03:22 PM

Quote:

Originally posted by msound

have him setup a password protected directory on his website that contains a page that will allow him to upload pictures through http. that will keep all of your backdoor services (ssh, telnet, ftp) secure, and itll be an easy way for him to add new content to his site from any computer with internet access.

you should be able to find a cool file upload script at hotscripts.com. of course this is all assuming he has php/apache installed on his server.

Don't all the secure protocols like password authentication in apache run from the same secure subsytems? They call all works through OpenSSL. To authenticate to a web server will require a certificate and since it will be self-signed it becomes problematic.

The other problem I have is that although my ISP says I have a static IP adress. I know that it is a dhcp assigned one and only a hard-ware ethernet address. Reverse look-ups don't work! I have no idea what will happen when I try to configure a mail server on this machine.

I still may end up useing apache/php though I think he wants more control over his machine than that would allow.

max

msound 05-04-2005 03:26 PM

well yeah apache/php wont give him any control over the machine, it would just provide an easy way to upload new content to his web site.

im not exactly sure how htaccess works in apache. all i know is that its a secure way to password protect your website directories. the page content wouldnt be encrypted or anything, it would just prevent public users from uploading their data to the site, because they wouldnt have access to the upload script.

but youre right, if he wants to do more than that on the server you'll have to come up with a better solution. just thought id throw the suggestion out there.

emetib 05-04-2005 10:47 PM

in the /etc/ssh/sshd_config there is a line that you can add-
AllowUsers

you can put yourself, and him there, then that's all that would be able to connect to the sshd. have him make up a messed up username, so that it's not easily guessed.

depending on the systems that he has access to, he could take a live distro with him on a usb flash drive. put a key on that, and then he has instant access that is now key driven and not passwd driven.

just an idea.


All times are GMT -5. The time now is 04:28 AM.