MAC addresses

Chris Brenton cbrenton at chrisbrenton.org
Sun Sep 12 04:30:51 CEST 2004


On Sat, 2004-09-11 at 20:54, Jason Opperisano wrote:
>
> On Sat, 2004-09-11 at 20:26, Darren Kirby wrote:
> > I will look into this. I assume however that I would need to keep port 23 open 
> > for everyone on the public side for this to work. I was hoping to drop the 
> > packets from everyone except my notebook, hence the original question. Is 
> > there no way to do this?
> 
> if you're looking for a secure way to manage your firewall from the
> internet without allowing "-s 0/0 --dport 22" type access; you probably
> want to setup some sort of VPN access for yourself.

A VPN is probably overkill as SSH is already a VPN (strong built in
authentication and encryption. Heck, I'll take Blowfish over 3DES or AES
for privacy any day of the week :). Two other options come to mind:

1) Bind SSH to a non-standard port
Yes someone doing a full port scan can still find it, blah, blah, blah.
I've been running this for years and have yet to receive a single
non-authorized connect to the port that has actually performed an SSH
handshake.

2) Setup port knocking
http://www.linuxjournal.com/article.php?sid=6811
I know a few people that have set this up with great success. Sure its
vulnerable to replay, but since we're talking SSH that's not really a
problem. Great way to expose ports to only certain users.

So with either option you still want to use public/private keys or
strong passwords with SSH. They are designed to simply mask the service
from all the SSH scanning that's running around the Internet.

HTH,
Chris





More information about the netfilter mailing list