How do you configure machine seucurely that mortals can log into?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How do you configure machine seucurely that mortals can log into?
hello:
I am maintaining a linux server for a friend who will be traveling for up to two years. He does photography and also maintains his own web log for. He had coded the html himself. He wants the independence of his own server because there are no content restriction or space restrictions.
The problem is this: I need a way to allow him to log in remotely from places which will not have sophisticated computers. Mostly he will have access only to Windows and Putty. Carrying around public and private keys and loading them on strange computers around the country/world is just not workable. Right now ssh is becoming more and more paranoid and the required security just goes up. I would love to reduce the security level on ssh but this seems really difficult.
What good is a machine if you can't log in to it? I need sane workable security, not perfect security! Any suggestions?
what will he be doing on the server while he's logged in? if hes just going to be uploading new web content and pictures then i would just have him do it through php/apache.
have him setup a password protected directory on his website that contains a page that will allow him to upload pictures through http. that will keep all of your backdoor services (ssh, telnet, ftp) secure, and itll be an easy way for him to add new content to his site from any computer with internet access.
you should be able to find a cool file upload script at hotscripts.com. of course this is all assuming he has php/apache installed on his server.
Originally posted by msound
have him setup a password protected directory on his website that contains a page that will allow him to upload pictures through http. that will keep all of your backdoor services (ssh, telnet, ftp) secure, and itll be an easy way for him to add new content to his site from any computer with internet access.
you should be able to find a cool file upload script at hotscripts.com. of course this is all assuming he has php/apache installed on his server.
Don't all the secure protocols like password authentication in apache run from the same secure subsytems? They call all works through OpenSSL. To authenticate to a web server will require a certificate and since it will be self-signed it becomes problematic.
The other problem I have is that although my ISP says I have a static IP adress. I know that it is a dhcp assigned one and only a hard-ware ethernet address. Reverse look-ups don't work! I have no idea what will happen when I try to configure a mail server on this machine.
I still may end up useing apache/php though I think he wants more control over his machine than that would allow.
well yeah apache/php wont give him any control over the machine, it would just provide an easy way to upload new content to his web site.
im not exactly sure how htaccess works in apache. all i know is that its a secure way to password protect your website directories. the page content wouldnt be encrypted or anything, it would just prevent public users from uploading their data to the site, because they wouldnt have access to the upload script.
but youre right, if he wants to do more than that on the server you'll have to come up with a better solution. just thought id throw the suggestion out there.
in the /etc/ssh/sshd_config there is a line that you can add-
AllowUsers
you can put yourself, and him there, then that's all that would be able to connect to the sshd. have him make up a messed up username, so that it's not easily guessed.
depending on the systems that he has access to, he could take a live distro with him on a usb flash drive. put a key on that, and then he has instant access that is now key driven and not passwd driven.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.