From owner-freebsd-questions@FreeBSD.ORG Fri Apr 18 19:01:06 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 075AD106564A for ; Fri, 18 Apr 2008 19:01:06 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49]) by mx1.freebsd.org (Postfix) with ESMTP id D795D8FC0C for ; Fri, 18 Apr 2008 19:01:05 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTP id 8EBF065510; Fri, 18 Apr 2008 14:01:05 -0500 (CDT) Date: Fri, 18 Apr 2008 14:01:05 -0500 From: Paul Schmehl To: Kurt Buff Message-ID: In-Reply-To: References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> <4808C54B.1090403@infracaninophile.co.uk> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 19:01:06 -0000 --On Friday, April 18, 2008 09:15:41 -0700 Kurt Buff wrote: > > Not to detour this conversation too much, I hope, but I'm in a > different situation, and this is going to be an issue for me. I'm > putting together a box that's going to be a router for our company, > using BGP to give access to our T1 and frac DS3. That's all it should > be doing, it will have no other services. It'll be in our server room, > though, so I won't have to get at it from anywhere, except perhaps > home, and even that could be avoided by simply traveling the 10 miles > to work. > > So, I'm wondering how to lock it down - I'm even contemplating > eliminating any MTA and sshd, and just running the routing daemon, but > sshd is just so useful that it's hard to do without, and eliminating > the MTA denies me the goodness of the periodic reports. Just have the MTA listen on localhost or on a unix socket. It can still send the reports that way but can't be attacked from outside (excepting the limited case that Matthew referred to.) > 'Casting > syslog to my internal syslog host is also problematic, but possible, I > suppose. Well, you *should* be remote syslogging any critical machines like that, but that doesn't mean the host itself has to listen for incoming syslog messages. WRT SSH, if it's a real concern, only allow access from your internal network. Then use a publicly accessible machine to tunnel through to it. (But lock it down as well. Attackers can come from the inside of your network just as easily as they can from outside.) Then there's the problem of managing and monitoring the thing > once it's installed. Being able to use mrtg/cacti/something to query > SNMP would be extraordinarily useful, as we will be paying extra for > bandwidth above our fractional rate on the DS3, and also to monitor > the health of the box. > If you're wanting to do this from "foreign" networks (not your own), then set up ssl and logins (.htaccess or httpd.conf, local or ldap, pam, whatever your have available) for the web interface. -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/