[cs615asa] HW1

Xiakun Lu xlu9 at stevens.edu
Sat Feb 7 02:01:59 EST 2015


> Many of you noted that in order for you to be able to ssh to the
> instance, you'll have to open up the necessary firewall rules.  Many of
> you then issued the following command:
> 
> ec2-authorize <some group> -P tcp -p 22 -s 0.0.0.0/0
> 
> Please review whether or not that is the best option and if you can
> tighten this up.  We will talk about security a lot in this class, and
> you want to follow what is known as the Principle of Least Privilege and
> only allow what is absolutely necessary.  How can you allow any system
> from Stevens access via SSH, but not anybody from anywhere?
> 

I think the best way is login by private certificate and only listen the ip of linux-lab.cs.stevens.edu. 
Close the password, we can prevent the illegal tries.
Only listen the ip of linux-lab.cs.stevens.edu <http://linux-lab.cs.stevens.edu/>, we can prevent the unknown flaw of sshd.


Close the way that login by password. modify /etc/ssh/sshd_config
change the value PasswordAuthentication to no.

Whenever and wherever we want to login ec2, we only need to login the linux-lab.cs.stevens.edu and login ec2 through linux-lab.cs.stevens.edu <http://linux-lab.cs.stevens.edu/>. 

The role of linux-lab.cs.stevens.edu <http://linux-lab.cs.stevens.edu/> is a transfer. We can login linux-lab.cs.stevens.edu <http://linux-lab.cs.stevens.edu/> wherever we are, but we can only login ec2 by linux-lab.cs.stevens.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20150207/6a16bde3/attachment-0001.html>


More information about the cs615asa mailing list