On Thu, 16 Mar 2006, in the Usenet newsgroup comp.os.linux.networking, in
Quote:>We have home offices. I have a business DSL line with a single static IP
>and a registered domain. I have a half dozen Linux machines which I use
>for development and as file servers.
OK - look at the address you are using on that domain. If you do a DNS
lookup of the domain name, you get an IP address. If you then do a second
lookup - this time of the IP address, does it return your hostname, or
some generic stuff (generic defined as a hostname that contains the IP
address in some form such as 192.0.2.22 -> dsl-192-000-002-022.provider.com
or similar). Second, look up the IP address in the various RBL lists -
one way being http://www.TQMcube.com/rblcheck.htm (uses tables) and see
that the provider is clean. We've null-routed quite a number of providers
because of spam problems - some of them being quite large. In a couple of
cases, we've had to cut holes to "whitelist" some entity that has chosen
a poor provider. I know you can't get a direct assignment from an RIR, but
see if your provider will SWIP the address to you, or at least list you
on their rwhois server. That builds confidence not only in network
security types, but also mail administrators.
Quote:>I have two dedicated servers that connect to the Internet though ssh. One
>server, on port 22, is our CVS server. That server is accessed by my
>partners and me and is used to collaborate on development. The only
>machines that are authorized to connect to it (I use RSA authorization,
>passwords are disabled) belong to me and my partners.
OK, with a single address, I can see your problem.
>The other machine is my release server, which has ssh mapped to a high
>Each customer has a user account on the release server. I place code
>releases for them in their accounts.
I don't know what your threat model is, yada, yada, yada. You want to
separate the two SSH servers - that's fine. If all your customers can do
is download AND NOTHING ELSE, I'd suggest having a strong username and
password setup for each, set permissions so that they can't do anything
except download, and then leave it on 22. I'd have the CVS server using
the non-standard port number, as your people would be minimally
inconvenienced. That would appear more on the "up-and-up" to the paranoid
net security types.
The bit about "strong username" - do your customers have a frequent need
to be connecting? Would writing down the username and password be something
normal (mainly because of infrequent use)? If so, consider generating
usernames the way we _used_ to generate initial passwords. Either
'head -2 /dev/random | uuencode /dev/stdout' or 'head -2 /dev/random |
mimencode' and in either case, select a string that begins with a letter
consisting of letters and numbers only. Using mixed case would increase
security and is permitted by most systems, but probably should be avoided
to prevent confusing the users. While you're at it - there is also the
password a little further into the string.
Quote:>I've also set the privileges on all accounts to 700 so that no
>customer can see the content of any other customer's directory.
Do they _need_ to be writable by the customers?
Quote:>For the startups this setup works fine. For the big companies this doesn't
>work because their firewalls don't permit them to access my server. The
>work around so far is that my customers at these companies have used their
>home machines to access the server.
That doesn't work here - we don't allow _any_ access to the home systems
from our network. I can't say much more than that.
Quote:>I've tried moving the port to 20 (FTP) figuring that a company is unlikely
>to block FTP, but that didn't work.
You'd have to ask them why, but depending on your provider, I can't see
any reason why that wouldn't work. Of course if your address is in the
middle of SpammersRus.com, there would be problems.
Quote:>Does anyone have any suggestions about a means for providing access to
>releases to customers at big companies? My requirements are 1) Reasonably
>straight forward access for my customers. 2) Good security for me. 3) Runs
From my view, clean address, resolves both ways, and a known port would
_probably_ get the best results. Security for you comes from having good
usernames. and running on up-to-date Linux (or similar).