machine hangs on occasion - correlated with ssh break-in
attempts
Ross Wheeler
rossw at albury.net.au
Thu Aug 21 22:25:32 UTC 2008
On Thu, 21 Aug 2008, Mikhail Teterin wrote:
>> Surely you don't have that many users who SSH into the NAT router from
>> random public IPs all over the world, rather than via the LAN? Surely
>> if you yourself often SSH into your NAT router from a Blackberry device,
>> that you wouldn't have much of a problem adding a /19 to the allow list.
>> That's a hell of a lot better than allowing 0/0 and denying individual
>> /32s.
>>
> Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" from
> anywhere in the world. Although we could, I suppose, find out the
> destination-country's IP-allocation and add it before leaving, that would be
> quite tedious to manage...
One of my clients used to have a microwave link from my network to their
office - and they were totally paranoid about remote access yet needed
live IPs fr other reasons.
They too needed frequent remote access from arbitary addresses.
I overcame these conflicting requirements with a 2-step process. They
"authorised" user first browsed to a website which asked their username
and password. When entered correctly, it opened a hole in the firewall to
allow that IP to their network. A timer ran every 15 minutes to close the
hole (but was over-ridden by the web page which kept refreshing every 10
mins). The last part may not be necessary for you, but this may be a
possible workaround for your traveling access. Leave a default of deny any
except from trusted, fixed hosts, and add transient access as required.
(The system did fail where your browser was proxied, but I catered for
that for the "network guys" by lettig them enter an IP address to open
along with their user/pass - it just defaulted to the requesting host to
make it easy)
YMMV.
RossW
More information about the freebsd-security
mailing list