--On August 11, 2006 9:02:14 AM +0700 Olivier Nicole <[EMAIL PROTECTED]> wrote:

Beno,

I'm configuring my IP filter and I need to figure out what IP addresses
I use (via SSH2) to contact my server.

I'd advise you not to filter SSH by IP, that would be the best way to
lock you out of your server.

Even if you find all the IP used by your ISP, you cannot predict when
the IP range will change, and it DOES change.

If you limit the IP that can SSH to your server, you will not be able
to login when you are traveling and some urgent administration task
need to be performed. And the most urgent tasks must often be
performed when traveling...

You're making some assumptions that I don't think you can make. For example, I have a publicly accessible server at work that does not change IPs. So, even if nothing else will work, I can always get back in to my servers through that server. It's a form of a bastion host.

Also, when I'm traveling, I can always get in through that server, so I never open up an IP from where I'm traveling.

His situation may be similar, who knows. He may also be as paranoid as I am. :-)

Set a strong password to your account (8+ characters, using letters up
and lower case, numbers and punctuation signs), do not allow SSH to
root account, enforce using sudo instead of su.

All excellent suggestions, which he should implement, regardless of whether he also chooses to restrict access by IP.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Reply via email to