Date: Thu, 10 Aug 2006 22:20:18 -0500 From: pauls@utdallas.edu Cc: freebsd-questions@freebsd.org Subject: Re: Finding IP Addresses (OT) Message-ID: <6265A884C423D07599B15EFA@paul-schmehls-powerbook59.local> In-Reply-To: <200608110202.k7B22Er7052574@banyan.cs.ait.ac.th> References: <44DB7888.6080807@2012.vi> <200608110202.k7B22Er7052574@banyan.cs.ait.ac.th>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========505B5E13A3992FD97859========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On August 11, 2006 9:02:14 AM +0700 Olivier Nicole <on@cs.ait.ac.th>=20 wrote: > Beno, > >> I'm configuring my IP filter and I need to figure out what IP addresses >> I use (via SSH2) to contact my server. > > I'd advise you not to filter SSH by IP, that would be the best way to > lock you out of your server. > > Even if you find all the IP used by your ISP, you cannot predict when > the IP range will change, and it DOES change. > > If you limit the IP that can SSH to your server, you will not be able > to login when you are traveling and some urgent administration task > need to be performed. And the most urgent tasks must often be > performed when traveling... > You're making some assumptions that I don't think you can make. For=20 example, I have a publicly accessible server at work that does not change=20 IPs. So, even if nothing else will work, I can always get back in to my=20 servers through that server. It's a form of a bastion host. Also, when I'm traveling, I can always get in through that server, so I=20 never open up an IP from where I'm traveling. His situation may be similar, who knows. He may also be as paranoid as I=20 am. :-) > Set a strong password to your account (8+ characters, using letters up > and lower case, numbers and punctuation signs), do not allow SSH to > root account, enforce using sudo instead of su. > All excellent suggestions, which he should implement, regardless of=20 whether he also chooses to restrict access by IP. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========505B5E13A3992FD97859==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6265A884C423D07599B15EFA>