Educause Security Discussion mailing list archives

Re: Remote Access to Staff Desktops

From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Sun, 22 Feb 2009 14:28:33 -0500

I couldn't agree more.  We do this sort of restriction on anything since
I've been in this postition the last few years, but unfortunately on older
systems whose birth  preceded enforced concerns about security many people
used this for websites and other access, it's been harder to get users
trained and weaned off the old process.  As a result for those few
remaining systems, I'm retiring this practice by attrition as users are
migrated to a new server where they can be given new processes (and
training) and they are by virtue of the change to the "new server"
somewhat more psychologically tractable.

D/C


The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:

On Fri, 20 Feb 2009 08:29:22 EST, Dexter Caldwell said:

I severely limit ssh access form off-campus, however, we have some

legacy

systems where access is historical or where we've granted it.  We
constantly get ssh brute force attacks on these servers.  The best thing
I've done to shut this down is use an ssh brute force signature on the

ips

to terminate these attemps.  It's been quite successful and users

haven't

noticed the change.


Something that *way* too few sites bother doing is restricting SSH access
up front, if possible.  We've have very good success on some of our
systems
where only a few people needed ssh into the box, of restricting inbound
with
iptables to only allow the 2 /16s of on-campus addresses, and then
identify
the /16 each person was likely to land in from their at-home cablemodem or
DSL line.  No ssh brute forces to worry about, because the chances of the
brute-forcer being in the same /16 as our user are vanishingly small...

This has the *added* benefit of *also* blocking any non-brute-force ssh
attacks,
like if somebody finds a 0day.  Suddenly, the attacker has to be in one
of the
3 or 4 /16s that can get to the box, and attacking from Moldavia or
someplace
no longer works...

Current thread:

Re: Remote Access to Staff Desktops, (continued)
- Re: Remote Access to Staff Desktops Greg Francis (Feb 18)
- Re: Remote Access to Staff Desktops Stanclift, Michael (Feb 18)
- Re: Remote Access to Staff Desktops Valdis Kletnieks (Feb 19)
- Re: Remote Access to Staff Desktops Dexter Caldwell (Feb 20)
- Re: Remote Access to Staff Desktops Himes, Daniel (Feb 20)
- Re: Remote Access to Staff Desktops Hammond, Stanley (Feb 20)
- Re: Remote Access to Staff Desktops Scott Dier (Feb 20)
- Re: Remote Access to Staff Desktops Miller, Don C. (Feb 20)
- Re: Remote Access to Staff Desktops James R. Pardonek (Feb 20)
- Re: Remote Access to Staff Desktops Valdis Kletnieks (Feb 21)
- Re: Remote Access to Staff Desktops Dexter Caldwell (Feb 22)
- Re: Remote Access to Staff Desktops Avdagic, Indir (Feb 23)
- Re: Remote Access to Staff Desktops Hugh Burley (Feb 25)