2005/09/30 - Incoming Ssh Access
Over the last few months we've seen an increasing number of probes and access attempts from outside the University to various SSH servers running on campus. We've also seen an increasing number of users installing Linux or installing SSH servers on Windows machines. As a result, given that most Linux distributions seem to default to enabling an SSH service and allowing root logins through this server, and that we've had a number of student and staff machines on campus compromised in this way as a result of weak root passwords, we're altering our policy on incoming SSH access.

To date we have, by default, allowed users to run SSH servers on their machine and have these servers accessible from outside the University. From the end of September we'll only be allowing incoming SSH (TCP port 22) access to machines that have explicitly requested access. This will be implemented in a similar way to incoming HTTP (TCP port 80 & 443) access. Access to outgoing SSH (i.e. connecting to remote SSH servers) will be unaffected by this change.

Users will be required to provide motivation of their need for incoming external access. The motivation should indicate who will be accessing the machine from outside the network and why they need such access. In evaluating this motivation we'll look at, amongst other things, whether there's an alternative means by which users could achieve the same thing. Users will also be required to ensure that their SSH servers do not allow remote root logins (at least by password). Users are encouraged to ensure that the make use of good passwords on their computers irrespective of whether they have remote access or not.

It is suggested that any users who are currently making use of external incoming SSH send e-mail to before the end of September requesting that we consider exempting them from this change. This e-mail should include the details mentioned in the previous paragraph.
A list of machines we know about, and that have already been exempted is available at
Please be aware that these changes will be implemented during the course of this afternoon. As a result, any machine not explicitly listed in will not have incoming remote SSH access as from some time today.