From owner-freebsd-questions@FreeBSD.ORG Fri Aug 11 03:20:23 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB74D16A4DD for ; Fri, 11 Aug 2006 03:20:23 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C2C443D45 for ; Fri, 11 Aug 2006 03:20:21 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.102] (adsl-65-69-140-46.dsl.rcsntx.swbell.net [65.69.140.46]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id CD019114307 for ; Thu, 10 Aug 2006 22:18:16 -0500 (CDT) Date: Thu, 10 Aug 2006 22:20:18 -0500 From: pauls@utdallas.edu cc: freebsd-questions@freebsd.org Message-ID: <6265A884C423D07599B15EFA@paul-schmehls-powerbook59.local> In-Reply-To: <200608110202.k7B22Er7052574@banyan.cs.ait.ac.th> References: <44DB7888.6080807@2012.vi> <200608110202.k7B22Er7052574@banyan.cs.ait.ac.th> X-Mailer: Mulberry/4.0.0 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========505B5E13A3992FD97859==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Finding IP Addresses (OT) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2006 03:20:23 -0000 --==========505B5E13A3992FD97859========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On August 11, 2006 9:02:14 AM +0700 Olivier Nicole =20 wrote: > Beno, > >> I'm configuring my IP filter and I need to figure out what IP addresses >> I use (via SSH2) to contact my server. > > I'd advise you not to filter SSH by IP, that would be the best way to > lock you out of your server. > > Even if you find all the IP used by your ISP, you cannot predict when > the IP range will change, and it DOES change. > > If you limit the IP that can SSH to your server, you will not be able > to login when you are traveling and some urgent administration task > need to be performed. And the most urgent tasks must often be > performed when traveling... > You're making some assumptions that I don't think you can make. For=20 example, I have a publicly accessible server at work that does not change=20 IPs. So, even if nothing else will work, I can always get back in to my=20 servers through that server. It's a form of a bastion host. Also, when I'm traveling, I can always get in through that server, so I=20 never open up an IP from where I'm traveling. His situation may be similar, who knows. He may also be as paranoid as I=20 am. :-) > Set a strong password to your account (8+ characters, using letters up > and lower case, numbers and punctuation signs), do not allow SSH to > root account, enforce using sudo instead of su. > All excellent suggestions, which he should implement, regardless of=20 whether he also chooses to restrict access by IP. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========505B5E13A3992FD97859==========--