[RDD] security breach

James Harrison james at talkunafraid.co.uk
Mon Nov 26 05:20:01 EST 2012


Also check out the Mikrotik routers - the 450G works great, and supports 
hosting OpenVPN, L2TP and IPsec based VPN services on the same router. 
Complete solution for about £80.

Cheers,
James Harrison


On 26/11/12 10:05, Wayne Merricks wrote:
> I second the Open VPN approach, if you can spare a box of any sort for a serious firewall, look at pfsense.org it was really easy to set up and has some other additions that kicks the ass out of my old Cisco PIX Firewall (and the newer ASA).
>
> Stuff like:
>
> Failover WAN
> Traffic Shaping
> Traffic Monitoring/Logging via transparent proxy
> Caching including Youtube videos via the same proxy
> On the fly virus scanning
>
> -----Original Message-----
> From: rivendell-dev-bounces at lists.rivendellaudio.org on behalf of Kevin Miller
> Sent: Sun 25/11/2012 23:32
> To: User discussion about the Rivendell Radio Automation System
> Subject: Re: [RDD] security breach
>
> On 11/25/2012 10:51 AM, James Harrison wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Best approach is not to use passwords - SSH keys are simple to set up
>> and you can disable password authentication in sshd, which makes your
>> system practically uncrackable.
> Took the words right out of my mouth.  The other thing I like to do is
> disable ssh 1 and ssh to root.  If you need root access from afar, ssh
> to a non-privileged account then "su -" to gain root.
>
>> Fail2ban is also an excellent program to run - it will automatically
>> block in iptables anything that fails to login more than a few times,
>> which stops most automated bots.
> As a further step, you could set up an openVPN server and not expose
> your rivendell box to inbound internet traffic at all.  You create a
> tunnel to the openVPN server then you're 'local' and can ssh to the rd
> host.  Linux Journal had a great three part write-up on this a few years
> back in the Paranoid Penguin column.  (The ssh/openVPN part, not the
> rivendell part.)  Best of luck with the cleanup...
>
> ...Kevin
>
>
> _______________________________________________
> Rivendell-dev mailing list
> Rivendell-dev at lists.rivendellaudio.org
> http://lists.rivendellaudio.org/mailman/listinfo/rivendell-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.rivendellaudio.org/pipermail/rivendell-dev/attachments/20121126/a00d5e6e/attachment.htm 


More information about the Rivendell-dev mailing list