From owner-freebsd-questions@FreeBSD.ORG Fri Apr 18 23:54:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82B251065675 for ; Fri, 18 Apr 2008 23:54:05 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id 0E66F8FC21 for ; Fri, 18 Apr 2008 23:54:04 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from epia-2.farid-hajji.net (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id 722A733EBE; Sat, 19 Apr 2008 01:34:45 +0200 (CEST) Date: Fri, 18 Apr 2008 17:34:43 -0600 From: cpghost To: Paul Schmehl Message-ID: <20080418173443.40f99867@epia-2.farid-hajji.net> In-Reply-To: References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> <4808D7F4.8000709@radel.com> Organization: Cordula's Web X-Mailer: Claws Mail 3.3.1 (GTK+ 2.12.9; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 23:54:05 -0000 On Fri, 18 Apr 2008 13:46:48 -0500 Paul Schmehl wrote: > Let me clarify. When I use the term "host", I'm referring to what > many would call a "personal workstation" or "personal computer". If > you have more than one person who has shell access to a computer, > then you no longer have a host. You have a server. Sure, you may not > think of it that way, but that's what it is. > > Servers are a completely different ballgame, and the decisions you > make regarding protecting them have everything to do with who has > access to what. The servers that I referenced in my post have one > person with root access - me > - and one user - the owners. No one else has access. So, it's a > great deal easier for me to lock down the boxes than it is, for > example, here at work, where *many* people have shell access and more > than one have root access through sudo or even su. Sorry for bikeshedding here, since it's just a matter of terminology, but... "Hosts" used to be multi-user machines for a long time, and actually still are. Most RFCs, including newer ones, refer to "hosts" and mean "nodes" on the net. They don't care whether the hosts are workstations used by a single or few user(s), or big multi-user machines with hundreds of shell accounts. "Server" is merely the role a program assumes when it waits passively for requests from "clients". "Servers" run on "hosts", regardless of the number of users on those hosts (ranging from 0 to very high). Obviously, the security implications vary considerably if you have to host many user accounts, esp. on hosts used by mission critical server programs. ;) And of course, the bikeshed has to be painted... red! :) Regards, -cpghost. -- Cordula's Web. http://www.cordula.ws/