machine hangs on occasion - correlated with ssh break-in attempts

Ross Wheeler rossw at
Thu Aug 21 22:25:32 UTC 2008

On Thu, 21 Aug 2008, Mikhail Teterin wrote:

>> Surely you don't have that many users who SSH into the NAT router from
>> random public IPs all over the world, rather than via the LAN?  Surely
>> if you yourself often SSH into your NAT router from a Blackberry device,
>> that you wouldn't have much of a problem adding a /19 to the allow list.
>> That's a hell of a lot better than allowing 0/0 and denying individual
>> /32s.
> Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" from 
> anywhere in the world. Although we could, I suppose, find out the 
> destination-country's IP-allocation and add it before leaving, that would be 
> quite tedious to manage...

One of my clients used to have a microwave link from my network to their 
office - and they were totally paranoid about remote access yet needed 
live IPs fr other reasons.

They too needed frequent remote access from arbitary addresses.

I overcame these conflicting requirements with a 2-step process. They 
"authorised" user first browsed to a website which asked their username 
and password. When entered correctly, it opened a hole in the firewall to 
allow that IP to their network. A timer ran every 15 minutes to close the 
hole (but was over-ridden by the web page which kept refreshing every 10 
mins). The last part may not be necessary for you, but this may be a 
possible workaround for your traveling access. Leave a default of deny any 
except from trusted, fixed hosts, and add transient access as required.

(The system did fail where your browser was proxied, but I catered for 
that for the "network guys" by lettig them enter an IP address to open 
along with their user/pass - it just defaulted to the requesting host to 
make it easy)


More information about the freebsd-stable mailing list