[NTLUG:Discuss] SSH
severian@pobox.com
severian at pobox.com
Tue Oct 14 23:33:47 CDT 2003
David,
Your post brought up further questions which I put below your words.
Thanks,
Ralph
In response to the welcome remarks of David at 08:42 PM 10/14/03 -0500:
>On Mon, Oct 13, 2003 at 11:15:38PM -0500, severian at pobox.com wrote:
> > 1. I disabled type 1 ssh keys, since type 2 keys seem to be more
> > secure. Is there any reason to allow type 1 keys?
>
>No good reason at all. SSH protocol 1 is subject to some sorts of
>attacks due to design weaknesses in the protocol. These have been
Good. That is what I had understood.
>iptables -A INPUT -i eth1 -p tcp -s her-ip-range/her-ip-mask \
> --dstport 22 -j ACCEPT
>iptables -A INPUT -i eth1 -p udp --dstport 53 -j ACCEPT
>iptables -A INPUT -i eth1 -j DROP
>
>I assume that you're using two separate ethernets, with eth0 being
>your internal net, and eth1 being your external connection. Modify
>accordingly.
Actually I have just one ethernet port. I started out with two
ethernet cards, but I decided that was needlessly complex. There is a
router/gateway box supplied by the ISP(a Cicso 1720). It is a
firewall(somewhat), NAT, a DHCP server for most office machine(who get IP
addresses in the 10.0.1.x range) and a gateway for my small range of static
IP addresses. The 1720 LAN port(not the WAN port) gets plugged into the
same 16 port switch as this Linux box and every other machine in the office.
>The first line permits your remote worker to come in from her home IP
>address. If her ISP has multiple address ranges, repeat the first
>line for each different address range and netmask.
>
>The second line permits DNS responses to get back to you.
>
>The third line silently discards all other packets, which will make
>your Linux system appear to be turned off.
More information about the Discuss
mailing list