Hi,
I'm in doubt about the argument of installing sshd on a firewall vs. security vulnerabilities with remote syslog, please see below:
1. pf redirect + ssh forward:
The server is in the dmz and exhibts: a web service, git and sftp.
I want to protect the web service using ssh tunnel - the web service has vulnerabilities.
I would like to redirect ssh traffic to the web server, instead of port forwarding from the firewall. This way I'll avoid installing ssh on the firewall (including users). Because of git and sftp, I need to install sshd on the server (in the dmz) anyway.
Question: is this the best setup - I mean, redirect ssh traffic to the server and do port forward to localhost on the server (and not the firewall), so that users can tunnel http using localhost (with some port) in their browser?
2. ssh blacklisting
I would like to blacklist hosts doing ssh attacks. Currently I'm looking at sshguard-pf and then use remote syslog to notify sshguard-pf (on the fw) about the attack. This way the attacker is allowed to the server (dmz) only on the first attempt - and blocked in the future by the firewall.
Question: all doc is warning about remote syslog. I would be happy to get some input.
Thanks.
PS the ssh port is moved and I'm using 1024 dsa keys with passphrase (going to compile ssh with kerberos). I'm using portsentry also.
I'm in doubt about the argument of installing sshd on a firewall vs. security vulnerabilities with remote syslog, please see below:
1. pf redirect + ssh forward:
The server is in the dmz and exhibts: a web service, git and sftp.
I want to protect the web service using ssh tunnel - the web service has vulnerabilities.
I would like to redirect ssh traffic to the web server, instead of port forwarding from the firewall. This way I'll avoid installing ssh on the firewall (including users). Because of git and sftp, I need to install sshd on the server (in the dmz) anyway.
Question: is this the best setup - I mean, redirect ssh traffic to the server and do port forward to localhost on the server (and not the firewall), so that users can tunnel http using localhost (with some port) in their browser?
2. ssh blacklisting
I would like to blacklist hosts doing ssh attacks. Currently I'm looking at sshguard-pf and then use remote syslog to notify sshguard-pf (on the fw) about the attack. This way the attacker is allowed to the server (dmz) only on the first attempt - and blocked in the future by the firewall.
Question: all doc is warning about remote syslog. I would be happy to get some input.
Thanks.
PS the ssh port is moved and I'm using 1024 dsa keys with passphrase (going to compile ssh with kerberos). I'm using portsentry also.