<div dir="ltr">Hi John,<div><br></div><div>Thank you for the comments! And thanks to others as well who</div><div>have responded; we'll let the conversation continue longer before</div><div>we present anything to Broad IT.</div><div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Aug 8, 2015 at 5:05 PM, john hood <span dir="ltr"><<a href="mailto:cgull@glup.org" target="_blank">cgull@glup.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">When you say "login server", what exactly do you mean? Is this a<br>
bastion host that you can ssh to, and then connect to internal hosts<br>
from? (That's what I'll assume here.)<br></blockquote><div><br></div><div>It's not a bastion host. As far as I understand, the 'login servers' have</div><div>full access to all filesystems/data, programs, etc. that an internal host</div><div>would have. I believe it is inside the firewall. It does not run iptables, so</div><div>there may be some kind of device sitting in front of it. The primary</div><div>difference between it and an internal host is that it is accessible to the</div><div>outside world but imposes strict memory limits on users (10 MB) and</div><div>offers just 1 virtualized core. So a user would generally ssh into this and</div><div>then connect to an internal host (with more resources). I'm not aware</div><div>of any bastion host at the Broad.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Is the concern here that servers running Mosh could be used as DDoS<br>
reflectors, or that opening UDP ports would allow Broad-internal hosts<br>
to be useful for DDoS bots wanting to generate UDP?<br></blockquote><div><br></div><div>The team's primary concern is the first issue, which you addressed well.</div><div> </div><div>Best,</div><div>Hayden</div></div></div></div></div>