webdoctor - 8:54 pm on Mar 19, 2007 (gmt 0)

I suggested a 'request for access' type method. You send off an email requesting the service. Only then is it started.

...and if your mailserver has problems, you lose control of your server. I wouldn't want to be in *that* boat without a paddle.

I'd prefer a serial console connection. Never heard of any serious software issues with a properly screwed-in serial cable :-)

I had thought of using a webform to control services (...)

I prefer to use the command line to control services. After all, that's what it's there for

Here's a question: what is it about running a ssh daemon in particular that worries people?

Software vulnerabilties in the ssh daemon? Come on, you're running a public web- and/or mailserver on your box, it's not as if your machine is invisible to the internet. You're probably running a few scripts, PHP, cgi, MySQL, ...

If you're worried about brute-force password attacks, either

1) choose a long password (my root passwords tend to be 10 - 15 characters long, and they're random. Yes, *really* random. (Of course they're written down on a piece of paper, but if my house gets burgled *and* the burglars crack open my safe then I think losing my root password is probably the last of my worries...)

or

2) switch to public/private key authentication. Just make sure you back up your private key properly - it's a long drive to the data center :-)

[Port knocking is...] another technique for "hiding" sshd (and other) services

IMHO there's (a) a whiff of security by obscurity about this, and (b) it's also just a bit too "James Bond" for me. I'd prefer to use serial console redirection.

Another question: How many people here block ping requests at their firewall? Why?