[Nottingham] Dealing with a router that does not support Port Forwarding
Paul
reclusivegeek at yahoo.co.uk
Mon May 11 09:40:08 UTC 2015
Last year I got rid of my broadband router all together and opted
instead to use a PfSense firewall on my VM box instead. The best
decision I ever made.
On 11/05/15 10:28, Martin wrote:
> On 11/05/15 09:13, Jason Irwin wrote:
>> On 08/05/15 17:44, Jason Irwin wrote:
>>> Now just to decide how to secure the thing.
>>> Add fail-to-ban...
>>> Maybe even VM...
>> As I already have fail2ban running on a VM, simple enough job to set
>> that up as the gateway.
>> I plan to make sshd only accept certs*, limit access to a couple of
>> users, rate-limit login attempts in ufw/iptables and expose it on a
>> non-standard port.
>>
>> Any other low-hanging fruit I should consider?
>>
>> * Annoyingly the JuiceSSH Android app cert doesn't appear to work
>> despite being in "authorized_keys". Grr....
> If this is in effect a point-to-point tunnel, then you can stop most
> break-in silliness by locking down by IP address to only accept the one
> known good IP address...
>
> However, if you also need remote access to set the thing up, take care
> to not lock yourself out!
>
>
> And then also, there is the good reminder with that most excellent flag
> in Shorewall:
>
> [*] ADMINISABSENTMINDED=yes
>
> ;-)
>
>
> Good luck,
> Martin
>
>
> *:
> http://shorewall.net/manpages/shorewall.conf.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20150511/2742c8eb/attachment-0001.html>
More information about the Nottingham
mailing list