Date: Fri, 18 Apr 2008 14:01:05 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: Kurt Buff <kurt.buff@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's Message-ID: <F2C7D3FA0BB1AD5F74832B32@utd65257.utdallas.edu> In-Reply-To: <a9f4a3860804180915v42a8070dia8008a6847bf5909@mail.gmail.com> References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> <4808C54B.1090403@infracaninophile.co.uk> <a9f4a3860804180915v42a8070dia8008a6847bf5909@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Friday, April 18, 2008 09:15:41 -0700 Kurt Buff <kurt.buff@gmail.com> wrote: > > Not to detour this conversation too much, I hope, but I'm in a > different situation, and this is going to be an issue for me. I'm > putting together a box that's going to be a router for our company, > using BGP to give access to our T1 and frac DS3. That's all it should > be doing, it will have no other services. It'll be in our server room, > though, so I won't have to get at it from anywhere, except perhaps > home, and even that could be avoided by simply traveling the 10 miles > to work. > > So, I'm wondering how to lock it down - I'm even contemplating > eliminating any MTA and sshd, and just running the routing daemon, but > sshd is just so useful that it's hard to do without, and eliminating > the MTA denies me the goodness of the periodic reports. Just have the MTA listen on localhost or on a unix socket. It can still send the reports that way but can't be attacked from outside (excepting the limited case that Matthew referred to.) > 'Casting > syslog to my internal syslog host is also problematic, but possible, I > suppose. Well, you *should* be remote syslogging any critical machines like that, but that doesn't mean the host itself has to listen for incoming syslog messages. WRT SSH, if it's a real concern, only allow access from your internal network. Then use a publicly accessible machine to tunnel through to it. (But lock it down as well. Attackers can come from the inside of your network just as easily as they can from outside.) Then there's the problem of managing and monitoring the thing > once it's installed. Being able to use mrtg/cacti/something to query > SNMP would be extraordinarily useful, as we will be paying extra for > bandwidth above our fractional rate on the DS3, and also to monitor > the health of the box. > If you're wanting to do this from "foreign" networks (not your own), then set up ssl and logins (.htaccess or httpd.conf, local or ldap, pam, whatever your have available) for the web interface. -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F2C7D3FA0BB1AD5F74832B32>