Reply to comment

Think isolated servers in a bank datacenter

For isolated servers where only SSH is allowed to the system for management purposes and no data connections (except business related) can go into the management or corporate network, you have few options.

What I usually do is provide by default a remote forward for HTTP to a distribution server, so that whenever you access these servers you can download updates and additional software. But in certain cases filesystem access is more useful so being able to tunnel NFS over SSH is very useful as well.

The benefit of doing it like this is that there is only a short period of time (during a maintenance window) that this can be used, but by default there is no possibility to exploit it.

Compared to a permanent firewall rule this is more secure and less prone to attacks.

Reply

Please refrain from adding URLs to unrelated or commercial websites. This site is moderated and comments with inappropriate links are rejected. Thank you for your understanding.
The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options