Re: Customer-facing ACLs

From: Jay Hennigan (no email)
Date: Sat Mar 08 2008 - 15:58:15 EST

  • Next message: William Norton: "Re: Customer-facing ACLs"

    Dave Pooser wrote:

    > Half the Mac users? You think? I know a dozen or so sysadmins who use Macs,

    [raises hand...]

    > and about a hundred users who wouldn't know SSH from PCP; I think that's
    > probably a slightly skewed sample considering I'm a Mac geek who hangs
    > around with Mac geeks, and I'd guess the consumer users are a larger
    > percentage of the real-life population.

    I was quite surprised to see the large number of Mac laptops at NANOG
    42. I didn't do a formal count but it seemed like about 1/4 to 1/3 of
    the laptops in use were Macs.

    > I'd expect the number of folks who
    > want SSH unblocked to be under 1% of a consumer broadband network, and
    > probably closer to 0.1% or so. And again, it ought to be trivial to let your
    > users unblock the system, either via phone call or via self-service Web page
    > (though in the latter case you'd better use a captcha or something so the
    > bot doesn't automatically unblock itself).

    I'm against the slippery slope of blocking ports by default, with the
    possible exception of SMTP if the provider offers a well-publicized
    local SMTP server.

    Servers that must leave ssh open to the Internet can and should consider
    using some form of time-out script like this one:
    http://www.pettingers.org/code/SSHBlack.html

    --
    Jay Hennigan - CCIE #7880 - Network Engineering - 
    Impulse Internet Service  -  http://www.impulse.net/
    Your local telephone and internet company - 805 884-6323 - WB6RDV
    

  • Next message: William Norton: "Re: Customer-facing ACLs"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD