<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">Many of you noted that in order for you to be able to ssh to the<br class="">instance, you'll have to open up the necessary firewall rules. Many of<br class="">you then issued the following command:<br class=""><br class="">ec2-authorize <some group> -P tcp -p 22 -s 0.0.0.0/0<br class=""><br class="">Please review whether or not that is the best option and if you can<br class="">tighten this up. We will talk about security a lot in this class, and<br class="">you want to follow what is known as the Principle of Least Privilege and<br class="">only allow what is absolutely necessary. How can you allow any system<br class="">from Stevens access via SSH, but not anybody from anywhere?<br class=""><br class=""></div></blockquote></div><br class=""><div class="">I think the best way is login by private certificate and only listen the ip of <a href="http://linux-lab.cs.stevens.edu" class="">linux-lab.cs.stevens.edu</a>. </div><div class="">Close the password, we can prevent the illegal tries.</div><div class="">Only listen the ip of <a href="http://linux-lab.cs.stevens.edu" class="">linux-lab.cs.stevens.edu</a>, we can prevent the unknown flaw of sshd.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Close the way that login by password. modify /etc/ssh/sshd_config</div><div class="">change the value PasswordAuthentication to no.</div><div class=""><br class=""></div><div class="">Whenever and wherever we want to login ec2, we only need to login the <a href="http://linux-lab.cs.stevens.edu" class="">linux-lab.cs.stevens.edu</a> and login ec2 through <a href="http://linux-lab.cs.stevens.edu" class="">linux-lab.cs.stevens.edu</a>. </div><div class=""><br class=""></div><div class="">The role of <a href="http://linux-lab.cs.stevens.edu" class="">linux-lab.cs.stevens.edu</a> is a transfer. We can login <a href="http://linux-lab.cs.stevens.edu" class="">linux-lab.cs.stevens.edu</a> wherever we are, but we can only login ec2 by <a href="http://linux-lab.cs.stevens.edu" class="">linux-lab.cs.stevens.edu</a></div></body></html>