[NTLUG:Discuss] SSH

severian@pobox.com severian at pobox.com
Tue Oct 14 23:02:00 CDT 2003 

Jack,
   Thank you for the comments.  They prompted further questions which I 
have put after your words.
Good day,
Ralph

In response to the welcome remarks of Jack Snodgrass at 06:00 AM 10/14/03 
-0500:
>couple of thoughts:
>
>you say" on a Windows machine driving her desktop Windows machine"
>    is that one or two windows boxes that they have? If it's two,
>    why can't one be a linux box. If you have two linux boxes you
>    can run a simple VPM with vtund on both boxes.
    My boss has a Windows box on her desk at work.  It has programs like 
Quickbooks that she sometimes want to look up information on while at 
home.  At home, the family computer is a Windows computer.  I can't change 
either of those.  But, anyplace a new machine is needed, I'll use Linux, if 
appropriate, as I believe it is here.


>speaking of VPN, why not run a VPN server on your linux box
>    and let the customer connect using MS VPN client?
    It is nothing more than incompetence on my part.  I tried several times 
to get a VPN set up, but I could never get it to work.  I am the only one 
at the office most of the time and the frequent interruptions(mostly hone 
calls) are a contributing factor here.  The MS VPN client needs an 
expensive VPN server, or at least I thought it did.  I have time I can 
spend, but not much of a budget.


>as for SSH:
>    only use ssh2.
>    use Etunnel from www.vandyke.com ( $59 license ) to establish
    Thanks for the pointer.  I'll read up on that.  Although for the basic 
port forwarding, Putty seems to work fine.  I'll be interested to see what 
is better.


>    use a non standard port for the server/client. Lots of hackers
>       try and access port 22.
    I was thinking about that, but I wasn't sure if it was worth the 
trouble.  It is certainly easy to do.


>    use tcpwrappers or iptables to limit access to the ssh port to
>       specific ip addresses.
>    don't allow plain text passwords. use keys only.
    Both remote workers are on systems where they will not have long term 
IP leases.  I mentioned how I was thinking about handling this in a 
response to Chris.  Basically, I'll give each remote machine a name put the 
IPs in the hosts file.  One point here seems redundant.  Maybe it isn't 
really, but it seems tthat way.  If I disallow passwords and require keys, 
doen't that limit the ip addresses?  The keys contain the IP address or the 
name, so only a matching IP address or name can do a public/private key 
match.  If this is't true, what am I missing?

>
>ftp/telnet:
>    NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO
>    ( repeat this line 50000 times )
    Since you are so emphatic, I guess you disagree with my having closed 
these ports already.  Do you really think I should oen them back up ;-)

More information about the Discuss mailing list