[ec2-beta] document: EC2 Ubuntu sudo Guide
mgreenly at gmail.com
Mon Mar 9 10:43:36 GMT 2009
This is an excellent example of what I'm concerned about. It encourages
people to get creative.
Deciding to open more ports and run an extra service all of the time is a
significant overall weakening of system security. I'm not exactly sure of
the difference between running rsync over ssh vs connecting directly to
rsyncd but I suspect that it broadens the attack surface to include rsync
specific code and not just ssh code.
On Mon, Mar 9, 2009 at 3:27 AM, Neale Rudd <neale at metawerx.net> wrote:
> Hi Eric,
> I've been running Ubuntu servers for years both off and on EC2. For
>> non-temporary systems I always configure them with normal users and use
>> sudo for root access. I'll be the first to admit it's a bit of a pain
>> to administer remotely, especially when I had to come up with a way to
>> rsync. (Is nobody else doing this on Ubuntu?!)
> What we do here is leave rsync running all the time on an internal IP or
> localhost, and use an SSH tunnel to get to it.
> - rsync runs as root and listens on 192.168.1.12:873.
> - add this to your ssh command: -L 127.0.0.1:873:192.168.1.12:873
> This opens port 873 on your local machine (127.0.0.1) while the SSH session
> is active.
> Any traffic sent there will be tunnelled over SSH, and sshd will send it on
> to 192.168.1.12:873
> Here's a bunch of ASCII-art that shows how tunnelling works for anyone who
> hasn't used this before:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ec2-beta