Dan Waters
df.waters at comcast.net
Tue Mar 5 12:52:12 CST 2013
Hi Hans, I should have said that I do connect using their VPN (Aventail) which does require a username and password. This is just for my access, and isn't public from the web. Thanks! Dan -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian Andersen Sent: Tuesday, March 05, 2013 11:32 AM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] Server Hardening? Really? I would generally agree that it is a bad idea to have remote desktop accessible from the web. A better alternative is to set up a VPN or, at the very least, using port knocking to secure the server better from malicious background internet traffic. Another alternative, which I use, is a tool on Linux called fail2ban, which monitors your logs for failed login attempts and bans any IP's that failed to login 3 times in the firewall. Works like a charm. But, I wouldn't allow any service that doesn't need to be public to be accessible publicly in principle. It may seem safe today, but once a zero-day exploit comes around... - Hans On 2013-03-05, at 9:19 AM, "Dan Waters" <df.waters at comcast.net> wrote: > One of my customers is a subsidiary of a larger company. That company > has contracted with Computer Services Company (CSC) to provide > computer and network services. (CSC was recently fired by the US Air > Force for not fulfilling a contract to provide a large software > system.) > > > > At my customer, CSC is doing what they call 'server hardening'. A > consequence of this is that remote desktop access is no longer allowed > - so I can no longer directly update or maintain the system I've built for them. > Even my customer's employees have lost their remote access to this server. > I have yet to figure out how to make this work. BTW, the folks at my > customer have been infuriated by CSC's actions for a couple of years > now and they are angrier than I am. > > > > So, I'd like to ask everyone if you believe that preventing remote > desktop access is appropriate for server hardening. Or, what steps > could be done to provide equivalently secure remote access? > > > > > > Thanks! > > Dan Waters > > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com