Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
is ssh reasonably secure for remote administration? i need a way to perform maintenance on a server at a branch office without always having to travel on-site for ordinary chores like adding a new user account.
if i were to open the port in our hardware firewall to allow ssh connection to a specific host would i be inviting the world to hack my file server?
i'm not a security guru, but from what i've read, ssh seems to be a preferred method for remote connections. ssh does not allow login as root, correct? the traffic is encrypted, correct?
the beauty of linux is that i could perform nearly any admin tasks from with command prompt and a text editor. but, i'd like to know that allowing ssh is at least "reasonably" secure.
i don't want to be lax about security, but i don't want to be overly paranoid either.
SSH is secure enough for remote access. It does encrypt traffic and can be configure to exclude direct root access. You can minimize the risk of opening a hole in your firewall by restricting access to just the endpoints, ie the server that you will admin and the client that you will connect from.
Yes. You can add an AllowUsers directive to your sshd_config file and then only the users listed can get access. You can also further lock it down by not allowing usernames or passwords, but use public key authentication instead.
What I would most strongly recommend is what I have recommended in the past... use digital certificates with SSH. Don't rely upon username/password authentication.
Only users who can present a valid certificate will be allowed to go further. It will not matter if they know a password or can guess it; their passport is rejected at the outer gate. This will truly stop the "script kiddies" who, otherwise, will come to call and will begin to hammer against your username/password file around the clock with the persistence that only a computer can create.
VPN (virtual private networking) is very handy as well. It wraps everything in an encryption packet, and once again it is best used with digital certificates. (i.e. Don't use Pre-Shared Keys.)
The overwhelming advantage of digital certificates, aside from the fact that they cannot be forged, is that they are individually issued and can be individually revoked. If a computer is lost or stolen, its access can be selectively revoked.
Without certificates, unfortunately, "SSH is simply another shell." It gives anyone-in-the-universe the opportunity to try a username-plus-password against your system. Sure, it encrypts the traffic, but it allows anyone to try to log in. But with certificates, only the bearers of an un-forgeable (and unrevoked) credential will ever be given the opportunity to utter magic words.
Last edited by sundialsvcs; 10-21-2005 at 08:48 PM.
A good source of howtos is here. Look at "local copies" such as this one. (However, I would encourage you to peruse the whole site.)
I really want to emphasize... this stuff is not hard to do. And it makes your SSH connection "really secure" for the first time. Script kiddies might be able to detect that you have an open SSH port into your system, but they can't begin to touch it.
Last edited by sundialsvcs; 10-21-2005 at 08:47 PM.