[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
nathan r. hruby nhruby@uga.edu
Sat, 24 Apr 2004 13:08:50 -0700 (PDT)
Hi, On Sat, 24 Apr 2004, Kurt Raschke wrote: > I have been running conserver on my LAN for a few months now, and so > far it has been very successful. However, I'd like to open up access > to the box running conserver for purposes of remote administration > over the Internet. Obviously, I am worried about the potential > security implications of this, and so I am looking to do it in the > safest way possible. What would you all reccomend? I am thinking of > either opening up SSH to the box, or opening up the conserver port and > then using 'console' to connect remotely, since conserver does include > SSL support to secure the connection. > What we've been doing is a mixture of various things. When building conserver we use "--with-libwrap --with-openssl --with-pam" We also force the default action in conserver to be deny, not accept non-ssl connections and have ALL : ALL in hosts.deny. We then open up the conserver port in the firewall for only a select number of subnets, and then either add individual machines from subnets to /etc/hosts.allow and conserver.cf or for subnets we trust, the entire subnet. We do not have any trusted client hosts in our config, so everyone must enter a password when connecting. Some users have the console application installed on their box, others ssh into the servers themselves and console from there, or login directly and use the screen/keyboard when at the physical box and then simply open an xterm and use console from there. Seems complicated (and it can be adding a user or a new host on a new subnet requires editing 3-4 config files and several restarts of services) but I think it's probably the most useful while trying to remain the most secure. If anyone thinks this is a retarded way of doing things, please LMK. It seems like a good idea, but I am still fairly new to conserver :) -n -- ------------------------------------------- nathan hruby <nhruby@uga.edu> uga enterprise information technology services production systems support metaphysically wrinkle-free -------------------------------------------