[vox] security dilemma
Cylar Z
cylarz at yahoo.com
Wed Sep 20 21:19:25 PDT 2006
Hey all,
I have a security-related question and would like to
solicit your advice on the best way to lock down my
system, given the situation.
My Redhat system is on a network, has a public static
IP, and is exposed to the full traffic of the Internet
- no DMZ or router/firewall protection. (I've
considered adding a small router in front of it, but
that is a separate issue.)
I'm using an iptables firewall along with TCP
wrappers. These two measures bolster system security
by only allowing connections from a limited set of IP
addresses where I and/or authorized users should be
coming from while accessing the system remotely via
SSH2. (All other connections are automatically denied
by the firewall). I've also implemented some secondary
security measures, but TCP wrappers and the firewall
stop over 99% of break-in attempts.
Here's the issue. As with many broadband customers, my
IP changes occasionally, and every so often, my
assigned client IP address falls outside of the range
defined by the firewall and/or TCP wrappers on the
remote Red Hat server. However, expanding the range of
IP's it allows to try logging in is a problem for two
reasons:
1. I don't know the full range of IP's offered by my
ISP. The pool of possible IP's I've so far been
assigned from is HUGE - ranging at least 4 Class A
address groups, based on the ones my ISP has pushed at
me so far. Meaning the IP assigned varies anywhere
between 70-73.XXX.XXX.XXX.
That is a huge amount of addresses to leave open,
since potentially many thousands of attackers would be
able to bypass both of my primary security measures
and have a shot at guessing a user/pass combination
that would let them onto the system.
2. My logs have recorded numerous break-in attempts on
the server, by individuals originating from the range
listed above. So again, I'd prefer not to just open
the entire range, since that lets attackers past my 2
best security layers. Even if I wanted to open the
whole range, how would I find out what the range was?
The tech support people aren't going to know the
answer to a question like that.
Any advice would be much appreciated. On the one hand,
I'm sick of getting either locked out of my own system
when my IP changes. On the other, I'm sick of people
who have the same ISP as I do, trying to crack into my
server.
Thanks,
Matt
--- vox-request at lists.lugod.org wrote:
> Send vox mailing list submissions to
> vox at lists.lugod.org
>
> To subscribe or unsubscribe via the World Wide Web,
> visit
> http://lists.lugod.org/mailman/listinfo/vox
> or, via email, send a message with subject or body
> 'help' to
> vox-request at lists.lugod.org
>
> You can reach the person managing the list at
> vox-owner at lists.lugod.org
>
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of vox digest..."
>
>
> Today's Topics:
>
> 1. Who owns the "I heart Tux" Lexus? (Scott
> Ritchie)
>
>
>
----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 19 Sep 2006 17:54:45 -0700
> From: Scott Ritchie <scott at open-vote.org>
> Subject: [vox] Who owns the "I heart Tux" Lexus?
> To: vox at lists.lugod.org
> Message-ID: <1158713685.9602.1.camel at localhost>
> Content-Type: text/plain
>
> Off the Covell 113 exit today I saw a black Lexus
> with the license plate
> "I(heart)TUX", alongside a little picture of the
> guy.
>
> Cool plate :)
>
> Thanks,
> Scott Ritchie
>
>
>
> ------------------------------
>
> _______________________________________________
> vox mailing list
> vox at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
>
>
> End of vox Digest, Vol 28, Issue 15
> ***********************************
>
If you're going to appoint yourself judge, jury, and executioner, at least make sure you're handing down the correct judgements.
More information about the vox
mailing list