> ...I only need to open SSH to the outside world and to my local
> network: this works fine with the ssh/ACCEPT in rules
> However I would like to use another port for SSH since my ISP blocks
> all ports lower then a certain number. I would like to use a port such
> as 29999 ...
Although the chances of an SSH penetration on an alternate port are fairly
small, the costs could be _extremely_ high. So I suggest not only moving to an
alternate port, but also doing all of the following:
1) Modify the ACCEPT to only allow connections from possible legitimate
addresses (all nearby ISP netblocks for example), rather than from anywhere in
the whole world.
2) Configure sshd to not accept "root" logins no matter what.
3) Configure sshd to only allow public/private key connections and disallow use
of regular passwords for all accounts no matter what.
4) Either by policy or by an explicit DROP, close and stealth the regular SSH
port.
(You could go even further and
5) Use DNAT rather than ACCEPT to route ssh connections from outside to some
other internal host, and configure the firewall's sshd to only listen on the
internal interface (when necessary doublehop-ssh back to the firewall from the
internal system)
6) Explicitly DROP all connection requests to the new port number that aren't
caught by the ACCEPT/DNAT)
thanks! -Chuck Kollars
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
