[dba-Tech] Server Hardening? Really?

Hans-Christian Andersen hans.andersen at phulse.com
Tue Mar 5 11:32:16 CST 2013


I would generally agree that it is a bad idea to have remote desktop accessible from the web. A better alternative is to set up a VPN or, at the very least, using port knocking to secure the server better from malicious background internet traffic. Another alternative, which I use, is a tool on Linux called fail2ban, which monitors your logs for failed login attempts and bans any IP's that failed to login 3 times in the firewall. Works like a charm. But, I wouldn't allow any service that doesn't need to be public to be accessible publicly in principle. It may seem safe today, but once a zero-day exploit comes around... 

- Hans


 
On 2013-03-05, at 9:19 AM, "Dan Waters" <df.waters at comcast.net> wrote:

> One of my customers is a subsidiary of a larger company.  That company has
> contracted with Computer Services Company (CSC) to provide computer and
> network services.  (CSC was recently fired by the US Air Force for not
> fulfilling a contract to provide a large software system.)
> 
> 
> 
> At my customer, CSC is doing what they call 'server hardening'.  A
> consequence of this is that remote desktop access is no longer allowed - so
> I can no longer directly update or maintain the system I've built for them.
> Even my customer's employees have lost their remote access to this server.
> I have yet to figure out how to make this work.  BTW, the folks at my
> customer have been infuriated by CSC's actions for a couple of years now and
> they are angrier than I am.
> 
> 
> 
> So, I'd like to ask everyone if you believe that preventing remote desktop
> access is appropriate for server hardening.  Or, what steps could be done to
> provide equivalently secure remote access?
> 
> 
> 
> 
> 
> Thanks!
> 
> Dan Waters 
> 
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com




More information about the dba-Tech mailing list