[vox] security dilemma

[Ryan]

On Wednesday 20 September 2006 09:19 pm, Cylar Z cylarz-at-yahoo.com |lugod| 
wrote:
> Hey all,
>
> I have a security-related question and would like to
> solicit your advice on the best way to lock down my
> system, given the situation.
>
> My Redhat system is on a network, has a public static
> IP, and is exposed to the full traffic of the Internet
> - no DMZ or router/firewall protection. (I've
> considered adding a small router in front of it, but
> that is a separate issue.)
>
> I'm using an iptables firewall along with TCP
> wrappers. These two measures bolster system security
> by only allowing connections from a limited set of IP
> addresses where I and/or authorized users should be
> coming from while accessing the system remotely via
> SSH2. (All other connections are automatically denied
> by the firewall). I've also implemented some secondary
> security measures, but TCP wrappers and the firewall
> stop over 99% of break-in attempts.
>
> Here's the issue. As with many broadband customers, my
> IP changes occasionally, and every so often, my
> assigned client IP address falls outside of the range
> defined by the firewall and/or TCP wrappers on the
> remote Red Hat server. However, expanding the range of
> IP's it allows to try logging in is a problem for two
> reasons:
>
> 1. I don't know the full range of IP's offered by my
> ISP. The pool of possible IP's I've so far been
> assigned from is HUGE - ranging at least 4 Class A
> address groups, based on the ones my ISP has pushed at
>  me so far. Meaning the IP assigned varies anywhere
> between 70-73.XXX.XXX.XXX.
>
> That is a huge amount of addresses to leave open,
> since potentially many thousands of attackers would be
> able to bypass both of my primary security measures
> and have a shot at guessing a user/pass combination
> that would let them onto the system.
>
> 2. My logs have recorded numerous break-in attempts on
> the server, by individuals originating from the range
> listed above. So again, I'd prefer not to just open
> the entire range, since that lets attackers past my 2
> best security layers. Even if I wanted to open the
> whole range, how would I find out what the range was?
> The tech support people aren't going to know the
> answer to a question like that.
>
> Any advice would be much appreciated. On the one hand,
> I'm sick of getting either locked out of my own system
> when my IP changes. On the other, I'm sick of people
> who have the same ISP as I do, trying to crack into my
> server.

You have several possible options:

1) Security through obscurity.  Put SSH on a random high port.

2) Port Knocking.  You send a serias of syn packts to your firewall and it 
temporarily opens the port. See google for more info.

3) Run dyndns on your broadband connection, and use cron to re-resolve your 
IP on a regular basis, and update an iptables rule
-- 
Ryan Castellucci - http://ryanc.org/
GPG Key: http://ryanc.org/files/publickey.asc