Re: [m0n0wall] SSH NAT/PAT woes

From:	Thomas Sprinzing <thomas at sprinzing dot org>
To:	A dot L dot M dot Buxey at lboro dot ac dot uk
Cc:	Lee Sharp <leesharp at hal dash pc dot org>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] SSH NAT/PAT woes
Date:	Mon, 8 Dec 2008 10:31:05 -0500

On 8-Dec-08, at 10:08 AM, A dot L dot M dot Buxey at lboro dot ac dot uk wrote:

> Hi,
>
>> seems the bad guys do actually know how to get arund that one, too:
>>
>> http://www.theregister.co.uk/2008/12/08/brute_force_ssh_attack/
>>
>> darn, how i hate this rat-race.
>>
>> it sucks big time.
>
> SSH on port 22 ('hiding it' on other ports doesnt work)
>
> Stop any text entry authentication - use only certificates
> (strong ones too!)

problem is: i'm not the admin of _that_ server.
there is a company servicing their software running on that machine,  
and i couldn't even get them to change from the standard port.
they nedd the whole plethora open, ftp, ssh, you name it. They say  
they have a servicing tool built specially for that, so this is yet  
another case of pretty shitty software making the world more  
enjoyable...

So much about me expecting them to be able to know and practice what  
you're suggesting (and i shall be doing on my severs from now ;-) )

Actually, hiding the port works pretty fine for me so far. And, for  
sure, i don't allow root to log in on my systems.

So that _particular_ patient is open to the support_company's ip only.
Not pretty, but the only thing i can do.

I actually would have liked to get ssh as a backup as well to access  
the monowall from inside, in the case i have to change the VPN  
certificates...

cheers

thomas