Linux Server Security
-
We have all servers accessible via SSH keys only but now going to add the allowed IPs for SSH key access as well
-
It's pretty common to lock down SSH access vi the firewall already. Further access on a key by key basis could be good too. Be careful, though, it is a good way to accidentally lock yourself out of the system.
-
I haven't looked online at all for this, but is it possible to restrict by domain? So if you're on a dynamic address you can still access if you have a dyndns setup for your house or wherever you are.
(I guess if it's a VPS or something you could just access the console and allow your IP).
-
@scottalanmiller all our servers are on xen so in case we get locked out I can fix that from xen cm console
-
Isn't locking down from IP only useful as long as you know where you'll ever log in from?
For example - Scott travels the world, he doesn't know day to day what IP he'll be SSHing in from.
I'm guessing a super locked down Jump Box would be the best option here with two factor authentication.
-
@Dashrender what we have is ssh only allowed from our office IP and we have a vpn connection to our datacenter, allowed that as well. So in case if I work from home or outside I can connect to the vpn and then get access to the servers.
-
Would it not be possible to also set up a Jump box for SSH access?
-
@dafyre said:
Would it not be possible to also set up a Jump box for SSH access?
That's what we do to improve security for exactly this kind of need. VPNs are such a big security risk, we like to avoid them when possible.
-
@scottalanmiller said:
@dafyre said:
Would it not be possible to also set up a Jump box for SSH access?
That's what we do to improve security for exactly this kind of need. VPNs are such a big security risk, we like to avoid them when possible.
Why is a VPN a security risk? because they give you (generally) full access to the network?
-
@Dashrender said:
Why is a VPN a security risk? because they give you (generally) full access to the network?
Correct. They create unnecessary exposure. Direct access to all hosts (typically) for all protocols and ports. The protections of firewalls and proxies are bypassed. They are generally the least secure form of access because they are the laziest - just expose everything and hope for the best.