On Thu, Oct 04, 2012 at 02:44:27PM +0100, steve-ALUG@hst.me.uk wrote:
Limiting logins from specific IP addresses as you already do is a good idea.
I get *very* few ssh login attempts, just the odd one every few days. It's presumably just the occasional user who also has an account at the same hosting service as me (Tsohost, excellent).
I'm not absolutely sure what you're trying to do - I don't quite understand why you're reverse tunneling for instance. Anyway, on the off-chance that this helps.
You can/should set up a user-name on the remote machine with little or no privileges to do anything, however, allow this account to be SSH-ed into. Then you can configure Sudo for this account so that it specifically allows you to run the commands that you want it to, in conjunction with Sudo. Configure sudo with the visudo command, but google it first, or look at a manual.
'Remote' doesn't really make sense in this context! :-)
There's a Ubuntu machine on our boat in France that runs unattended. It already runs an autossh process at startup that sets up an ssh tunnel to my login at Tsohost. This allows me to login to my Tsohost shell and, from there to login to the Ubuntu machine on the boat. The reason for using the Tsohost 'intermediate' shell account is simply that I don't want public-key/no passphrase logins on my home desktop machine.
The Ubuntu machine on the boat runs apache and I want to be able to browse its web pages from home. So I want to 'export' port 80 from the machine on the boat in the same way as I export port 22 for ssh. However I'd like to be able to export it direct to my desktop machine, which entails having a public-key/no passphrase login so I want to make it so that login won't allow anything except the ssh reverse tunnel.