[Nottingham] Dealing with a router that does not support Port Forwarding
Martin
martin at ml1.co.uk
Mon May 11 09:28:30 UTC 2015
On 11/05/15 09:13, Jason Irwin wrote:
> On 08/05/15 17:44, Jason Irwin wrote:
>> Now just to decide how to secure the thing.
>> Add fail-to-ban...
>> Maybe even VM...
>
> As I already have fail2ban running on a VM, simple enough job to set
> that up as the gateway.
> I plan to make sshd only accept certs*, limit access to a couple of
> users, rate-limit login attempts in ufw/iptables and expose it on a
> non-standard port.
>
> Any other low-hanging fruit I should consider?
>
> * Annoyingly the JuiceSSH Android app cert doesn't appear to work
> despite being in "authorized_keys". Grr....
If this is in effect a point-to-point tunnel, then you can stop most
break-in silliness by locking down by IP address to only accept the one
known good IP address...
However, if you also need remote access to set the thing up, take care
to not lock yourself out!
And then also, there is the good reminder with that most excellent flag
in Shorewall:
[*] ADMINISABSENTMINDED=yes
;-)
Good luck,
Martin
*:
http://shorewall.net/manpages/shorewall.conf.html
--
- ╔═══════════════════╦══════════════════════════════════════════╗
- ║ Martin Lomas ║ OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7 ║
- ║ martin@ ml1 co uk ║ Import from hkp://subkeys.pgp.net or ║
- ║ ----------------- ║ http:// ml1 .co .uk/martin_ml1_co_uk.gpg ║
- ╚═══════════════════╩══════════════════════════════════════════╝
More information about the Nottingham
mailing list