[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers-public] Re: ssh logins to lists.gnu.org
|
From: |
Ward Vandewege |
|
Subject: |
[Savannah-hackers-public] Re: ssh logins to lists.gnu.org |
|
Date: |
Wed, 21 Jan 2009 15:04:08 -0500 |
|
User-agent: |
Mutt/1.5.17+20080114 (2008-01-14) |
On Wed, Jan 21, 2009 at 08:44:24PM +0100, Sylvain Beucler wrote:
> Yes, all those people are Savannah Hackers (except maybe Patrick,
> though there's no reason to revoke his access as of now).
OK, thanks for confirming that.
> Do you *really* want to introduce IP-based restrictions? This kind of
> thing is a major inconvenience.
I understand it can be inconvenient if you don't have access to a machine
with a fixed IP. Is that the problem? If so, we could allow access from
fencepost, for instance.
If the inconvenience is simply having to jump through a machine to get to
lists, you could use a .ssh/config stanza like this to automate it:
Host lists
ProxyCommand ssh address@hidden -C $SSH_PROXY_FLAGS nc -w60 lists.gnu.org 22
User lists
Or are there other reasons why this is a major inconvenience?
We've seen a lot of ssh brute force attacks lately, and as you know lists is
not the most modern system. We're going to do something about that: we are
currently waiting for replacement hardware. In the mean time, we think it is
still wise to avoid the whole ssh brute forcing problem by not making the
port accessible from the whole internet to start out with.
Does that make sense?
Thanks,
Ward.
--
Ward Vandewege <address@hidden>
Free Software Foundation - Senior Systems Administrator