[dba-Tech] Server Hardening? Really?

Dan Waters df.waters at comcast.net
Tue Mar 5 12:52:12 CST 2013


Hi Hans,

I should have said that I do connect using their VPN (Aventail) which does
require a username and password.  This is just for my access, and isn't
public from the web.

Thanks!
Dan

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
Andersen
Sent: Tuesday, March 05, 2013 11:32 AM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Server Hardening? Really?

I would generally agree that it is a bad idea to have remote desktop
accessible from the web. A better alternative is to set up a VPN or, at the
very least, using port knocking to secure the server better from malicious
background internet traffic. Another alternative, which I use, is a tool on
Linux called fail2ban, which monitors your logs for failed login attempts
and bans any IP's that failed to login 3 times in the firewall. Works like a
charm. But, I wouldn't allow any service that doesn't need to be public to
be accessible publicly in principle. It may seem safe today, but once a
zero-day exploit comes around... 

- Hans


 
On 2013-03-05, at 9:19 AM, "Dan Waters" <df.waters at comcast.net> wrote:

> One of my customers is a subsidiary of a larger company.  That company 
> has contracted with Computer Services Company (CSC) to provide 
> computer and network services.  (CSC was recently fired by the US Air 
> Force for not fulfilling a contract to provide a large software 
> system.)
> 
> 
> 
> At my customer, CSC is doing what they call 'server hardening'.  A 
> consequence of this is that remote desktop access is no longer allowed 
> - so I can no longer directly update or maintain the system I've built for
them.
> Even my customer's employees have lost their remote access to this server.
> I have yet to figure out how to make this work.  BTW, the folks at my 
> customer have been infuriated by CSC's actions for a couple of years 
> now and they are angrier than I am.
> 
> 
> 
> So, I'd like to ask everyone if you believe that preventing remote 
> desktop access is appropriate for server hardening.  Or, what steps 
> could be done to provide equivalently secure remote access?
> 
> 
> 
> 
> 
> Thanks!
> 
> Dan Waters
> 
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com


_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list