Page 1 of 4 123 ... LastLast
Results 1 to 10 of 40

Thread: Is it safe to open port 22 (SSH) from DMZ to LAN

  1. #1
    Join Date
    Apr 2008
    Beans
    24

    Exclamation Is it safe to open port 22 (SSH) from DMZ to LAN

    Hello,

    I have a server on DMZ port that uses rsync over ssh to backup files onto a backup server on LAN.

    By default, firewall DENYS any port/services from DMZ to LAN. So I ALLOWED SSH (port 22).

    Is this safe? Thanks.

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,022
    Distro
    Xubuntu 15.10 Wily Werewolf

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Not entirely. If someone gets control of the machine on the DMZ, they then have a hole to get into your main LAN via whatever machine the DMZ machine uses SSH to.

    Sometimes I think these things can't be avoided though.

  3. #3
    Join Date
    Nov 2005
    Location
    South Yorkshire, UK
    Beans
    238
    Distro
    Xubuntu 10.04 Lucid Lynx

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    At least follow some general precautions on opening up SSH

    - Change the port to something other than 22
    - Deny root access
    - Only allow specified user name(s) access.

  4. #4
    Join Date
    Apr 2008
    Location
    UK
    Beans
    1,098

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Quote Originally Posted by wjrhee77 View Post
    Hello,

    I have a server on DMZ port that uses rsync over ssh to backup files onto a backup server on LAN.

    By default, firewall DENYS any port/services from DMZ to LAN. So I ALLOWED SSH (port 22).

    Is this safe? Thanks.
    The server software is up to date and configured securely? That will reduce unauthorized access to so close to zero as not to matter.

    rsync over ssh is secured; for example, by restricting authorized_keys so that sshd on the LAN host will only accept a connection from rsync?

    Looks safe to me.
    Brian.

  5. #5
    Join Date
    Apr 2008
    Beans
    24

    Talking Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Great! Thanks for all your inputs.

  6. #6
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    changing ports won't do much good

    use a tool like denyhosts that will auto-ban an ip after several failed login attemps

    use strong passwords

    maybe create another user and give him root rights (if you require root to rsync the files) and use this one then for rsyncing

  7. #7
    Join Date
    Dec 2005
    Location
    USA
    Beans
    886
    Distro
    Ubuntu

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Quote Originally Posted by hyper_ch View Post
    changing ports won't do much good

    use a tool like denyhosts that will auto-ban an ip after several failed login attemps

    use strong passwords

    maybe create another user and give him root rights (if you require root to rsync the files) and use this one then for rsyncing
    I disagree with the first part - changing ports WILL do a lot of good. I would have several hundred attempts in a 48 hour period when using port 22. After switching to port 22222 it dropped to 0.

    Beyond that, yes, using strong passwords and denyhosts will also go a long way (much longer than changing ports).

    -Richard
    I use both Windows and Linux. Is that a crime? || Ubuntu User # 16597

  8. #8
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    if those several hundred attempts just check port 22 then you don't have to worry about them anyway

  9. #9
    Join Date
    Dec 2005
    Location
    USA
    Beans
    886
    Distro
    Ubuntu

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Quote Originally Posted by hyper_ch View Post
    if those several hundred attempts just check port 22 then you don't have to worry about them anyway
    By "attempts" I mean someone tried to log onto the server. Naturally these are bot programs looking for any open SSH server. Moving the port to something else will render them rather useless as they usually only look at the default port.

    -Richard
    I use both Windows and Linux. Is that a crime? || Ubuntu User # 16597

  10. #10
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    I know what you mean.... and hence my answer

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •