[86857] in North American Network Operators' Group
Re: a record?
daemon@ATHENA.MIT.EDU (Austin McKinley)
Sat Nov 19 19:01:21 2005
Date: Sat, 19 Nov 2005 19:00:35 -0500
From: Austin McKinley <amckinle@andrew.cmu.edu>
To: Alexei Roudnev <alex@relcom.net>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>, nanog@nanog.org
In-Reply-To: <06f801c5ed4e$3f9f3e80$6401a8c0@alexh>
Errors-To: owner-nanog@merit.edu
Or OpenBSD with pf and authpf:
http://www.openbsd.org/faq/pf/authpf.html
Austin
Alexei Roudnev wrote:
>I said many times - just use non standard port. Number of hackerts who
>discover this port wil decrease approx 10,000 times, to
>almost 0 (number).
>
>(Of course, except if you are a bank).
>
>Other approach exists as well - SecureID on firewall. Login to firewall,
>authenticate, and have dynamic access list which opens ssh for you (and
>still keep ssh on port != 22).
>
>
>----- Original Message -----
>From: "Patrick W. Gilmore" <patrick@ianai.net>
>To: <nanog@nanog.org>
>Cc: "Patrick W. Gilmore" <patrick@ianai.net>
>Sent: Tuesday, November 15, 2005 11:02 AM
>Subject: Re: a record?
>
>
>
>
>>On Nov 15, 2005, at 12:52 PM, Church, Chuck wrote:
>>
>>
>>
>>>Isn't it just good security practice to limit telnet/SSH access to
>>>only
>>>a few choice hosts/subnets? I know I'd never allow the 0/0 net access
>>>to a signon screen, even if it is SSH. If you're on vacation and need
>>>to access something, call your NOC, and have them temporarily allow
>>>your
>>>dynamic address for SSH. When a hacker finds an open SSH host, they
>>>think two things - This host is important to someone, and that they
>>>need
>>>more doughnuts...
>>>
>>>
>>That is an excellent idea. As soon as I hire a NOC for my personal
>>boxes, I'll get right on that. But, since I Am Not An Isp, I doubt
>>that is going to happen soon.
>>
>>Remember, not every box on the Internet is supported by a whole
>>network of resources (physical and human).
>>
>>--
>>TTFN,
>>patrick
>>
>>
>
>
>
>
