--On August 11, 2006 9:02:14 AM +0700 Olivier Nicole <[EMAIL PROTECTED]>
You're making some assumptions that I don't think you can make. For
example, I have a publicly accessible server at work that does not change
IPs. So, even if nothing else will work, I can always get back in to my
servers through that server. It's a form of a bastion host.
I'm configuring my IP filter and I need to figure out what IP addresses
I use (via SSH2) to contact my server.
I'd advise you not to filter SSH by IP, that would be the best way to
lock you out of your server.
Even if you find all the IP used by your ISP, you cannot predict when
the IP range will change, and it DOES change.
If you limit the IP that can SSH to your server, you will not be able
to login when you are traveling and some urgent administration task
need to be performed. And the most urgent tasks must often be
performed when traveling...
Also, when I'm traveling, I can always get in through that server, so I
never open up an IP from where I'm traveling.
His situation may be similar, who knows. He may also be as paranoid as I
All excellent suggestions, which he should implement, regardless of
whether he also chooses to restrict access by IP.
Set a strong password to your account (8+ characters, using letters up
and lower case, numbers and punctuation signs), do not allow SSH to
root account, enforce using sudo instead of su.
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas