653
edits
Changes
Jump to navigation
Jump to search
Line 62:
Line 62: − + − + + + Line 80:
Line 82: − + − +
SME Server:Documentation:Administration Manual:Chapter11 (view source)
Revision as of 02:16, 24 April 2021
, 02:16, 24 April 2021→SSH
* Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for your system. In most cases we recommend setting this to No.
* Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for your system. In most cases we recommend setting this to No.
* Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server. See the [[SME_Server:Documentation:User_Manual:Chapter1#Securing_SSH_With_Public_.2F_Private_Keys| User Manual ]] for details
* Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server. See the [[SME_Server:Documentation:User_Manual:Chapter1#Securing_SSH_With_Public_.2F_Private_Keys| User Manual ]] for details
* TCP Port for secure shell access - Change the port the ssh client connects to the server, choose a random free port eg. 822 This provides some protection from attacks on the usual port of 22.
* TCP Port for secure shell access - Change the port the ssh client connects to the server, choose a random free port eg. 822. This provides some protection from casual attacks on the usual port of 22 and reduce log noise, but will not deter a serious attacker.
{{Note box|By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login remotely to the server, you will need to access the underlying Linux operating system and manually change the user's shell.}}
{{Note box|By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login remotely to the server, you will need to access the underlying Linux operating system and manually change the user's shell.}}
* SSH clients
* SSH clients
A number of different free software programs provide ssh clients for use in a Windows, Macintosh or Linux environment. Several are extensions of existing telnet programs that include ssh functionality. A list of known clients can be found online at https://www.ssh.com/ssh/client, [https://www.ssh.com/ssh/putty/download PuTTY] being the most popular as it meets most requirements and is regularly updated.
A number of different free software programs provide ssh clients for use in a Windows, Macintosh or Linux environment. Several are extensions of existing telnet programs that include ssh functionality. A list of known clients can be found online at https://www.ssh.com/ssh/client, [https://www.ssh.com/ssh/putty/download PuTTY] being the most popular for Windows as it meets most requirements and is regularly updated. Linux workstations normally have direct ssh capability.
A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic and certain non-commercial uses.
A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic and certain non-commercial uses.
Do note that the SSH protocol also supports SFTP (an alternate secure FTP) and SCP (secure copy). [https://winscp.net/eng/index.php WinSCP] is one example of a Windows client that supports both for GUI Files transfer via the shell.
=====FTPs=====
=====FTPs=====
FTP access limits: This allows you to set an overall site-wide policy for FTP access. The setting you choose here will override all other FTP settings on your server . For example, if you choose "Disable public FTP access" here and then later configure an i-bay to allow public FTP access from the Internet, such access will be forbidden. Note that one of the choices here allows you to completely disable any use of FTP.
FTP access limits: This allows you to set an overall site-wide policy for FTP access. The setting you choose here will override all other FTP settings on your server . For example, if you choose "Disable public FTP access" here and then later configure an i-bay to allow public FTP access from the Internet, such access will be forbidden. Note that one of the choices here allows you to completely disable any use of FTP.
=====Telnet=====
<!--=====Telnet=====
Telnet has traditionally been one of the tools used to login remotely to other systems across a network or the Internet. However, when you use telnet, all user names and passwords are transmitted without any kind of encryption, dramatically reducing the security of your server. Because ssh usage has increased to an acceptable level, telnet access has been removed from the SME Server
Telnet has traditionally been one of the tools used to login remotely to other systems across a network or the Internet. However, when you use telnet, all user names and passwords are transmitted without any kind of encryption, dramatically reducing the security of your server. Because ssh usage has increased to an acceptable level, telnet access has been removed from the SME Server-->
====Local networks====
====Local networks====