[TriLUG] Host Blocking
Aaron S. Joyner
aaron at joyner.ws
Wed Jan 5 23:41:24 EST 2005
Steve Kuekes wrote:
> Greg Cox wrote:
>
>>
>> But you're officially allowed to put a 'Power of Pride' bumper
>> sticker on
>> the box if you iptable this up.
>>
>
> Here's some lines from my /etc/sysconfig/iptables that blocks these
> ranges of ip from my ssh port (since I will never need to access my
> machine from those parts of the world).
>
... All this is well and good, but you're neglecting the first rule of
a good firewall. Deny everything, allow only specifically what you
need. The right question to ask is, what net blocks *do* I need access
from, to the ssh port. Keep that list as short as possible, and you'll
be in good shape. It's also generally a *much* easier list to compile
and enforce. Yes, it may cause you a bit of trouble if you're some
where you didn't expect to be -- but if that's the case, you can enable
something like port knocking or a password-protected SSL connection made
to a non-standard port, which can enable SSHd on a non standard port, at
the click of a button. Consider making it active only for a very
limited time via that method, as well. Something like 60 seconds or 5
mins. Use that 60 seconds to add the IP you're coming from to the
regular access list.
Aaron S. Joyner
More information about the TriLUG
mailing list