From owner-freebsd-stable@FreeBSD.ORG Thu Aug 21 22:25:32 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31D681065679; Thu, 21 Aug 2008 22:25:32 +0000 (UTC) (envelope-from rossw@albury.net.au) Received: from mail.albury.net.au (ali-syd-1.albury.net.au [202.3.36.15]) by mx1.freebsd.org (Postfix) with ESMTP id BCC6A8FC16; Thu, 21 Aug 2008 22:25:31 +0000 (UTC) (envelope-from rossw@albury.net.au) Received: from ali-syd-1.albury.net.au (ali-syd-1.albury.net.au [202.3.36.15]) by mail.albury.net.au (8.13.6/8.13.6) with ESMTP id m7LLmDqi090234; Fri, 22 Aug 2008 07:48:14 +1000 (EST) (envelope-from rossw@albury.net.au) Date: Fri, 22 Aug 2008 07:48:13 +1000 (EST) From: Ross Wheeler To: Mikhail Teterin In-Reply-To: <48ADCFD5.8020902@aldan.algebra.com> Message-ID: <20080822074020.G32956@ali-syd-1.albury.net.au> References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <48ADCFD5.8020902@aldan.algebra.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.albury.net.au [202.3.36.15]); Fri, 22 Aug 2008 07:48:14 +1000 (EST) Cc: freebsd-security@freebsd.org, Jeremy Chadwick , freebsd-stable@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 22:25:32 -0000 On Thu, 21 Aug 2008, Mikhail Teterin wrote: >> Surely you don't have that many users who SSH into the NAT router from >> random public IPs all over the world, rather than via the LAN? Surely >> if you yourself often SSH into your NAT router from a Blackberry device, >> that you wouldn't have much of a problem adding a /19 to the allow list. >> That's a hell of a lot better than allowing 0/0 and denying individual >> /32s. >> > Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" from > anywhere in the world. Although we could, I suppose, find out the > destination-country's IP-allocation and add it before leaving, that would be > quite tedious to manage... One of my clients used to have a microwave link from my network to their office - and they were totally paranoid about remote access yet needed live IPs fr other reasons. They too needed frequent remote access from arbitary addresses. I overcame these conflicting requirements with a 2-step process. They "authorised" user first browsed to a website which asked their username and password. When entered correctly, it opened a hole in the firewall to allow that IP to their network. A timer ran every 15 minutes to close the hole (but was over-ridden by the web page which kept refreshing every 10 mins). The last part may not be necessary for you, but this may be a possible workaround for your traveling access. Leave a default of deny any except from trusted, fixed hosts, and add transient access as required. (The system did fail where your browser was proxied, but I catered for that for the "network guys" by lettig them enter an IP address to open along with their user/pass - it just defaulted to the requesting host to make it easy) YMMV. RossW