From owner-freebsd-questions@FreeBSD.ORG Sat Mar 6 05:20:58 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47CE0106566C for ; Sat, 6 Mar 2010 05:20:58 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1C5D08FC14 for ; Sat, 6 Mar 2010 05:20:57 +0000 (UTC) Received: by pvg3 with SMTP id 3so1490403pvg.13 for ; Fri, 05 Mar 2010 21:20:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ixSFCGSgvm2571wTHwF6YoA6vPrL+w59AOwpBW04YLY=; b=XaAopY/38ILzLKYCw+jb/wjMZZD43uOSIhqAy+sohAxhpzrR5zXTDauFugs3lqMxVw hamvvfNi3pMytrgxARZHSuMK8mJwPAAbue9Hiw4eBpREXK6sgNPIHglUho1H6khUtCY6 u8aOyuGrtvdHpZaitdfyQbHoknptEur9/SrJ8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=lETsinD+grVEfl9l2KqKFRAq/5B4g+f+Zb2WG8jD/42JgbGkhOyCJuRxyt0O/kgh4F h93GKaByEv4AMQlQVoIIvzszhVlAppVQuzrzMsW/7GGys42GTBElsttQ4XX1ScPK2erW 5twIuOTpzTjzxdWGR6A3b9o7VYlNN1oF5Iuio= MIME-Version: 1.0 Received: by 10.115.38.25 with SMTP id q25mr1097997waj.209.1267852854480; Fri, 05 Mar 2010 21:20:54 -0800 (PST) In-Reply-To: <86lje6z4ul.fsf@blue.stonehenge.com> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <86lje6z4ul.fsf@blue.stonehenge.com> Date: Fri, 5 Mar 2010 22:20:53 -0700 Message-ID: From: Tim Judd To: "Randal L. Schwartz" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 05:20:58 -0000 On 3/5/10, Randal L. Schwartz wrote: >>>>>> "Tim" == Tim Judd writes: > > Tim> I've been in that same boat. I eventually came to the decision to: > Tim> Install PPTP server software, accepting connections from any IP. > > Whoa. Here we are, talking about making it *more* secure, and > you go the other direction.... > > > http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security_of_the_PPTP_protocol > > > In short, you can't take anyone seriously who suggests PPTP when > talking about security. > Randal, It's not meant as the solution for remote access. It's only a stopgap so you can ssh into your router and add the remote IP. Then disconnect from the VPN you've configured, PPTP or not, and use SSH. And the fact that I haven't (yet) seen random bots try vpn will keep my logs clean. I'm sorry, I respect Randal very much, but.. A) ..wikipedia? that's informative and useful, but not authoritative in any way. B) It's connected for maybe 5 minutes at most. While connected, your ssh session is still encrypted while you add the current remote IP. I stand by my statements. The other way (which requires a cron job) is to setup your roaming laptop with a dyndns address (or similar service) and have your router re-load it's firewall config periodically for any possible IPv4/IPv6 address changes to be picked up. I haven't done this to finish yet.