how is configuring sshd to accept from certain ips over software
firewall preferable?
The control you're trying to perform is application specific. The
application has *full* access controls, so this is the appropriate
location for such management. It's also the first place a syadmin
would normally check for restrictions to ssh.
Basically keep application controls in the realm of the application.
It also permits control by roles for organizations where you actually
have an IT staff and you're not the sole individual, which is most
all organizations.
But basically control level seven access at level seven, not level three.
idealistically they are both software solutions save that
iptables/ipfw/etc offer more options to deny/allow attackers.
Actually they offer quite different options.
And they operate at completely different levels in the system model.
Yes, I suppose the argument for halting users at the service is a
good one since the firewall filters will be allowing access to the
service eventually, nothing like have a double set of protective
rules in place. if going that route might as well use both.
Except that it's confusing to an sshd administrator, who now has no
control over his realm and is thwarted by his network admin. So now
we need both a systems and a networks person to manage a single
service.
Not to mention that sshd offers much better access controls anyway.
purchasing a hardware firewall solution is the way to go ultimately
and they are relatively cheap (if you want the minimum).
But operate at the wrong layer. You'd need a level seven switch to
achieve the same level of protection.
running snort will do nothing for you, except tell you that you have
been attacked after the fact.
It was listed as an example of what you can do to, not as a panacea.
root login is turned off by default,
Not on OS X Server.
it would be a shame if someone intentionally turned this on.
See above.
Actually most experienced sysadmins deal with root just fine. For
ages we learned how to do this correctly. root being disabled really
solves no technical concerns.
of course, admin is another story. however, using this account is
not as damaging so use your discretion when logging in.
It's just as damaging if compromised.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
References:
>SSH attacks (From: Bruno Schaeffer <email@hidden>)
