Re: How do you all handle SSH access to campus resources?

[Jeff Kell <jeff-kell () UTC EDU>]

Michael Horne wrote:

> First time poster here looking for some info on how Universities and
> others handle SSH access to there campus and how restrictive it is
> configured.

For most common services (including SSH) we only allow outside internet
incoming to our "registered" servers as a first line of defense.  These
services are blocked to everything else.

Next, specific subnets may selectively permit or deny services (again
splitting hairs between default permit and default deny) and what
sources are involved.

Finally, we use host-based firewall/iptables/etc rules where access
needs are not met by the previous provisions, or for the paranoid, in
case the previous measures are compromised.

> Currently we have a single SSH gateway on a DMZ.

We don't use a gateway, but rather a VPN for internal staff.  Still
looking at a more generalized solution for encryption for more general
applications (SSL/VPN/something) to satisfy audit requirements.

> We have as you all have been spam'd by the number of brute force
> attempts into our systems.

Our external-facing mail servers only accept mail for local delivery.
Our mail delivery servers only accept mail from campus.

> I.e... Anyone have any luck with blocking APNIC ranges for home cable
> modem users which seems to be a large source of the brute force attempts?

Haven't visited that idea yet.

Jeff Kell
System/Network Security
University of Tennessee at Chattanooga

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.