[BlueOnyx:20932] Re: OpenSSH and PCI on 5208R
Jim Matysek
matysekj at usms.org
Thu Apr 20 11:09:39 -05 2017
Thanks, Chris. That's an easy solution - just turn the damn thing off
except for when you use it.
-jim
-----Original Message-----
From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of
Chris Gebhardt - VIRTBIZ Internet
Sent: Thursday, April 20, 2017 11:11 AM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:20931] Re: OpenSSH and PCI on 5208R
Hi Jim,
> Going out on a limb, is there a remote chance of getting openssh 7.4
> on this server that is still running 5208R, or would the only way to
> get to that version be doing a full update to 5209R? I'm trying to
> avoid that.
Highly unlikely. That's going to involve ripping out the SSH from
CentOS, and upstream Redhat, and then building one in (and keeping it
maintained) just for BlueOnyx. The scale of that work compared with
the benefiting audience just isn't going to work out in our favor.
One option you may have (which has been successful for us in the past)
would be to lock down SSH. Just make it unavailable. Ideally, you can
turn it off via the GUI for anytime other than when you specifically
require its use. Or use some firewall rules or hosts.deny ACL to
narrow the scope of allowed IPs. The theory goes that what is
unavailable for scanning is unable to fail. Or spun another way, the
safest SSH is no SSH at all.
--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated www.virtbiz.com | toll-free
(866) 4 VIRTBIZ _______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list