TheLaughingMan Posted January 24, 2014 Share Posted January 24, 2014 Hi all long time no see, I am wondering about this subject. And how you people would go about this question of Securely managing websites remotely? Any Ideals would be helpful. Quote Link to comment Share on other sites More sharing options...
no42 Posted January 24, 2014 Share Posted January 24, 2014 3 steps I've taken in the past, bet we can think of some more on this forum? 1) SSH Console access ; then secure SSH 2) Web front-end/CMS eg Cpanel, PHPmyadmin. htaccess file to protect '/admin' directory (not necessarily labelled admin), in conjunction with (3) move the admin interface to a higher port, using vhosting 3) Firewall and restrict access of IPs allowed to access a management port Quote Link to comment Share on other sites More sharing options...
digip Posted January 24, 2014 Share Posted January 24, 2014 Above post sums it up pretty much. SSH, SFTP, SCP, TLS/HTTPS usage, VPNs and IP restrictions work well and if not possible to use shell access over SSH, maybe setting up some form of two factor authentication so no one can get in without say a sent passphrase/onetime key sent to your phone or email(securely), or use of things like a YubiKey/smartcards. Quote Link to comment Share on other sites More sharing options...
TheLaughingMan Posted January 24, 2014 Author Share Posted January 24, 2014 Above post sums it up pretty much. SSH, SFTP, SCP, TLS/HTTPS usage, VPNs and IP restrictions work well and if not possible to use shell access over SSH, maybe setting up some form of two factor authentication so no one can get in without say a sent passphrase/onetime key sent to your phone or email(securely), or use of things like a YubiKey/smartcards. Can RSA tokens be use for the two way factor authenication. Plus is it compatable with SSH. I know with vpn is it but not sure with SSH and scp Quote Link to comment Share on other sites More sharing options...
TheLaughingMan Posted January 24, 2014 Author Share Posted January 24, 2014 What would you guys think about going through II7 in windows server? Quote Link to comment Share on other sites More sharing options...
nvemb3r Posted January 24, 2014 Share Posted January 24, 2014 Above post sums it up pretty much. SSH, SFTP, SCP, TLS/HTTPS usage, VPNs and IP restrictions work well and if not possible to use shell access over SSH, maybe setting up some form of two factor authentication so no one can get in without say a sent passphrase/onetime key sent to your phone or email(securely), or use of things like a YubiKey/smartcards. One thing I did is white list the address ranges for your ISP and VPN for SSH use. That way it would only be accessible from your local area, or through your VPN. That significantly reduced the number of logs coming in from hosts abroad. I did this by messing with the /etc/hosts.allow and /etc/hosts.deny files. Quote Link to comment Share on other sites More sharing options...
no42 Posted January 24, 2014 Share Posted January 24, 2014 Can RSA tokens be use for the two way factor authenication. Plus is it compatable with SSH. I know with vpn is it but not sure with SSH and scp Yes it can, example http://www.ssh.com/manuals/server-admin/44/RSA_SecurID_Submethod.html Quote Link to comment Share on other sites More sharing options...
TheLaughingMan Posted January 25, 2014 Author Share Posted January 25, 2014 One thing I did is white list the address ranges for your ISP and VPN for SSH use. That way it would only be accessible from your local area, or through your VPN. That significantly reduced the number of logs coming in from hosts abroad. I did this by messing with the /etc/hosts.allow and /etc/hosts.deny files. But you did this with your own vpn and not a 3rd party vpn correct? Quote Link to comment Share on other sites More sharing options...
nvemb3r Posted January 25, 2014 Share Posted January 25, 2014 (edited) But you did this with your own vpn and not a 3rd party vpn correct? I did this through a VPN I subscribed to. While everyone in the far east can't brute force my OpenSSH service, attacks can still be attempted by anyone else that subscribes to the same VPN, or by users in my area with the same ISP. In a business environment, it would be better to roll your own VPN (that only a handful of people can access), but have another means of accessing your system other than the VPN. If the VPN is the only way you can SSH into a computer, than that VPN service can be targeted for a DoS attack. Once your VPN goes down, so does SSH access. Edited January 25, 2014 by nvemb3r Quote Link to comment Share on other sites More sharing options...
TheLaughingMan Posted February 5, 2014 Author Share Posted February 5, 2014 (edited) what about 3rd party software that can do all this? Because i am thinking about going through windows server 2008 with all this. You do people think this would be the right way to go about all this? Edited February 5, 2014 by TheLaughingMan Quote Link to comment Share on other sites More sharing options...
TheLaughingMan Posted February 5, 2014 Author Share Posted February 5, 2014 sorry guys for all the question but i am doing a school report and want to make sure that i pass this part of my project Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.