cbrenton at chrisbrenton.org
Sun Sep 12 04:30:51 CEST 2004
On Sat, 2004-09-11 at 20:54, Jason Opperisano wrote:
> On Sat, 2004-09-11 at 20:26, Darren Kirby wrote:
> > I will look into this. I assume however that I would need to keep port 23 open
> > for everyone on the public side for this to work. I was hoping to drop the
> > packets from everyone except my notebook, hence the original question. Is
> > there no way to do this?
> if you're looking for a secure way to manage your firewall from the
> internet without allowing "-s 0/0 --dport 22" type access; you probably
> want to setup some sort of VPN access for yourself.
A VPN is probably overkill as SSH is already a VPN (strong built in
authentication and encryption. Heck, I'll take Blowfish over 3DES or AES
for privacy any day of the week :). Two other options come to mind:
1) Bind SSH to a non-standard port
Yes someone doing a full port scan can still find it, blah, blah, blah.
I've been running this for years and have yet to receive a single
non-authorized connect to the port that has actually performed an SSH
2) Setup port knocking
I know a few people that have set this up with great success. Sure its
vulnerable to replay, but since we're talking SSH that's not really a
problem. Great way to expose ports to only certain users.
So with either option you still want to use public/private keys or
strong passwords with SSH. They are designed to simply mask the service
from all the SSH scanning that's running around the Internet.
More information about the netfilter