machine hangs on occasion - correlated with ssh break-in
attempts
Jan Stary
hans at stare.cz
Fri Aug 22 06:59:09 UTC 2008
On Aug 22 07:48:13, Ross Wheeler wrote:
> On Thu, 21 Aug 2008, Mikhail Teterin wrote:
> >>Surely you don't have that many users who SSH into the NAT router from
> >>random public IPs all over the world, rather than via the LAN? Surely
> >>if you yourself often SSH into your NAT router from a Blackberry device,
> >>that you wouldn't have much of a problem adding a /19 to the allow list.
> >>That's a hell of a lot better than allowing 0/0 and denying individual
> >>/32s.
> >>
> >Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home"
> >from anywhere in the world. Although we could, I suppose, find out the
> >destination-country's IP-allocation and add it before leaving, that would
> >be quite tedious to manage...
>
> One of my clients used to have a microwave link from my network to their
> office - and they were totally paranoid about remote access yet needed
> live IPs fr other reasons.
>
> They too needed frequent remote access from arbitary addresses.
>
> I overcame these conflicting requirements with a 2-step process. They
> "authorised" user first browsed to a website which asked their username
> and password. When entered correctly, it opened a hole in the firewall to
> allow that IP to their network. A timer ran every 15 minutes to close the
> hole (but was over-ridden by the web page which kept refreshing every 10
> mins). The last part may not be necessary for you, but this may be a
> possible workaround for your traveling access. Leave a default of deny any
> except from trusted, fixed hosts, and add transient access as required.
Eh? Sounds like a web-based reimplementation of authpf.
Jan
More information about the freebsd-security
mailing list