[SSHd] Limiting access from authorized IP's

Paul Schmehl pauls at utdallas.edu
Fri Apr 18 19:01:06 UTC 2008

--On Friday, April 18, 2008 09:15:41 -0700 Kurt Buff <kurt.buff at gmail.com> 
> Not to detour this conversation too much, I hope, but I'm in a
> different situation, and this is going to be an issue for me. I'm
> putting together a box that's going to be a router for our company,
> using BGP to give access to our T1 and frac DS3. That's all it should
> be doing, it will have no other services. It'll be in our server room,
> though, so I won't have to get at it from anywhere, except perhaps
> home, and even that could be avoided by simply traveling the 10 miles
> to work.
> So, I'm wondering how to lock it down - I'm even contemplating
> eliminating any MTA and sshd, and just running the routing daemon, but
> sshd is just so useful that it's hard to do without, and eliminating
> the MTA denies me the goodness of the periodic reports.

Just have the MTA listen on localhost or on a unix socket.  It can still send 
the reports that way but can't be attacked from outside (excepting the limited 
case that Matthew referred to.)

> 'Casting
> syslog to my internal syslog host is also problematic, but possible, I
> suppose.

Well, you *should* be remote syslogging any critical machines like that, but 
that doesn't mean the host itself has to listen for incoming syslog messages.

WRT SSH, if it's a real concern, only allow access from your internal network. 
Then use a publicly accessible machine to tunnel through to it.  (But lock it 
down as well.  Attackers can come from the inside of your network just as 
easily as they can from outside.)

 Then there's the problem of managing and monitoring the thing
> once it's installed. Being able to use mrtg/cacti/something to query
> SNMP would be extraordinarily useful, as we will be paying extra for
> bandwidth above our fractional rate on the DS3, and also to monitor
> the health of the box.

If you're wanting to do this from "foreign" networks (not your own), then set 
up ssl and logins (.htaccess or httpd.conf, local or ldap, pam, whatever your 
have available) for the web interface.

Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas

More information about the freebsd-questions mailing list