[Nottingham] Dealing with a router that does not support Port Forwarding

[Martin]

On 11/05/15 09:13, Jason Irwin wrote:
> On 08/05/15 17:44, Jason Irwin wrote:
>> Now just to decide how to secure the thing.
>> Add fail-to-ban...
>> Maybe even VM...
> 
> As I already have fail2ban running on a VM, simple enough job to set
> that up as the gateway.
> I plan to make sshd only accept certs*, limit access to a couple of
> users, rate-limit login attempts in ufw/iptables and expose it on a
> non-standard port.
> 
> Any other low-hanging fruit I should consider?
> 
> * Annoyingly the JuiceSSH Android app cert doesn't appear to work
> despite being in "authorized_keys". Grr....

If this is in effect a point-to-point tunnel, then you can stop most
break-in silliness by locking down by IP address to only accept the one
known good IP address...

However, if you also need remote access to set the thing up, take care
to not lock yourself out!


And then also, there is the good reminder with that most excellent flag
in Shorewall:

[*] ADMINISABSENTMINDED=yes

;-)


Good luck,
Martin


*:
http://shorewall.net/manpages/shorewall.conf.html


-- 
- ╔═══════════════════╦══════════════════════════════════════════╗
- ║   Martin Lomas    ║ OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7 ║
- ║ martin@ ml1 co uk ║ Import from   hkp://subkeys.pgp.net   or ║
- ║ ----------------- ║ http:// ml1 .co .uk/martin_ml1_co_uk.gpg ║
- ╚═══════════════════╩══════════════════════════════════════════╝