From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 06:59:09 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2815A106566B for ; Fri, 22 Aug 2008 06:59:09 +0000 (UTC) (envelope-from hans@stare.cz) Received: from mail.czechdata.cz (mail.czechdata.cz [79.98.73.121]) by mx1.freebsd.org (Postfix) with ESMTP id BE3B48FC14 for ; Fri, 22 Aug 2008 06:59:07 +0000 (UTC) (envelope-from hans@stare.cz) Received: from 172.17.4.37 ([172.17.4.37]) by mail.czechdata.cz (602LAN SUITE 2004) id 368e939b; Fri, 22 Aug 2008 8:58:32 +0200 Received: by www.stare.cz (Postfix, from userid 1000) id A57FB30E1; Fri, 22 Aug 2008 08:58:28 +0200 (CEST) Date: Fri, 22 Aug 2008 08:58:28 +0200 From: Jan Stary To: Ross Wheeler Message-ID: <20080822065828.GA28155@www.stare.cz> References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <48ADCFD5.8020902@aldan.algebra.com> <20080822074020.G32956@ali-syd-1.albury.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080822074020.G32956@ali-syd-1.albury.net.au> User-Agent: Mutt/1.4.2.3i Cc: Mikhail Teterin , Jeremy Chadwick , freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 06:59:09 -0000 On Aug 22 07:48:13, Ross Wheeler wrote: > On Thu, 21 Aug 2008, Mikhail Teterin wrote: > >>Surely you don't have that many users who SSH into the NAT router from > >>random public IPs all over the world, rather than via the LAN? Surely > >>if you yourself often SSH into your NAT router from a Blackberry device, > >>that you wouldn't have much of a problem adding a /19 to the allow list. > >>That's a hell of a lot better than allowing 0/0 and denying individual > >>/32s. > >> > >Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" > >from anywhere in the world. Although we could, I suppose, find out the > >destination-country's IP-allocation and add it before leaving, that would > >be quite tedious to manage... > > One of my clients used to have a microwave link from my network to their > office - and they were totally paranoid about remote access yet needed > live IPs fr other reasons. > > They too needed frequent remote access from arbitary addresses. > > I overcame these conflicting requirements with a 2-step process. They > "authorised" user first browsed to a website which asked their username > and password. When entered correctly, it opened a hole in the firewall to > allow that IP to their network. A timer ran every 15 minutes to close the > hole (but was over-ridden by the web page which kept refreshing every 10 > mins). The last part may not be necessary for you, but this may be a > possible workaround for your traveling access. Leave a default of deny any > except from trusted, fixed hosts, and add transient access as required. Eh? Sounds like a web-based reimplementation of authpf. Jan