The internet can be a dangerous place. Data and
personal information can be attacked from malicious hackers, script kiddies,
and open relays. The open relay option even provides the user the
added bonus of anonymity.
The logical solution would be to hide everything behind
a firewall and lock it down. While data is safer behind a firewall,
the experienced hacker might still be able to access it. Firewalls can
also be a hindrance to remote data access. With larger number of
companies choosing to cut cost by moving to remote offices for employees it
is vital that they balance data protection against data access. Even
if companies do not have telecommuters on their work force, they may need
remote data access for traveling workers or even for clients. Whatever
the reason, it is vital that they be able to access the data while
protecting it as well.
There are several problems with remote connections.
For example, when using user name and password authentication, if that
information is captured the entire network is compromised. Another
would be passing data in clear text which leaves personal data exposed.
Now that we've looked at some of the problems with
having remote access to data, what are options for a solution? An
excellent choice is a virtual private network (VPN), which allows for secure
authentication, host/client validation, and passwords behind keys.
Another option would be a secure shell which allows for secure
authentication, can use keys, and can be included with all UNIX/Linux.
Secure Shell (SSH) is a protocol, not a shell. The SSH allows a
connection to BASH, which is a Unix shell. The SSH offers secure
authentication, secure file transfer, secure remote command execution, and
implements PK Infrastructure.
Port Forwarding is an option with SSH. Standard SSH Port is Port
22, however you can forward this port to another server. That server
must also have a firewall. SSH starts as an encrypted connection.
Authentication is also encrypted with SSH. On first connection, a host
key is exchanged and stored on the server. This will defeat the "man
in the middle" attack. Once authentication is valid, it connects the
user to normal shell.
Firewalls are our first line of defense against attack.
A firewall will be able to hide all of the network computers behind it, it
can refuse to answer PINGs and some will inspect network packets. It
is vitally important to always use a firewall - even at hotels.
Script kiddies are normally not highly skilled.
The common script kiddie will download a script from the internet, scan a
set of IP addresses, look for SSH, Telnet, Mail, etc. connections, and then
perform scripted password attacks. The common home mail/web server
gets around 1,500 attempts a day. Some days they can receive over
Some of the best ways to stop script kiddies is to get
off Port 22, Implement IPTABLES to lockout any IP with a certain number of
failed attempts for a designated number of minutes, and to disable passwords
and instead use Public Private Keys and RSA Keys.
Public Private Keys are a key pair, one public and
available, the other private and secure. The public key encrypts only
while the private key decrypts only. The private key should be
encrypted with a pass phrase and is used to encrypt authentication.
The SSH Server Configuration file on Linux is:
To modify your configuration you must be in ROOT. Uncommented
options will change a default setting.
Turn on key authentication.
Turn off passwords.
Turn off direct root logons while you are at it.
This is also the place to change the ssh port.
Then restart the ssh server to
activate the changes.
root]# service sshd restart
Stopping sshd:[ OK
Starting sshd:[ OK
In conclusion, a properly set up SSH can provide a secure, protector
remote login capability. This SSH will also provide encrypted
authentication and "man in the middle" protection.
If you like Oracle tuning, you
might enjoy my book "Oracle
Tuning: The Definitive Reference", with 950 pages of tuning tips and
You can buy it direct from the publisher for 30%-off and get instant
access to the code depot of Oracle tuning scripts.