Customer-facing ACLs

Sat Mar 8 08:10:39 UTC 2008

> I can understand the logic of dropping the port, but theres some
> additional thought involved when looking at Port 22 - maybe i'm not
> well-read enough, but the bots I've seen that are doing SSH scans, etc,
> are not usually on Windows systems. I can figure them working on Linux,
> MacOS systems - but surely the vast majority of 'vulnerable' hosts are
> those running OS's coming from our favourite megacorp?  Which typically
> don't come shipped with neither SSH server nor SSH client... ?

They typically don't ship with an SMTP server either. Considering that my
preferred SSH client for Windows weighs in as a single 412k .exe, I'd
imagine that bot designers are just writing their own SSH clients for
brute-forcing.

> To me, at least half the users likely to be running either Linux or Mac
> are going to be the same users who're going to request they be allowed
> outbound SSH.... is the blocking of outbound SSH considered to be
> sufficiently useful that we're advocating it these days?

Half the Mac users? You think? I know a dozen or so sysadmins who use Macs,
and about a hundred users who wouldn't know SSH from PCP; I think that's
probably a slightly skewed sample considering I'm a Mac geek who hangs
around with Mac geeks, and I'd guess the consumer users are a larger
percentage of the real-life population. I'd expect the number of folks who
want SSH unblocked to be under 1% of a consumer broadband network, and
probably closer to 0.1% or so. And again, it ought to be trivial to let your
users unblock the system, either via phone call or via self-service Web page
(though in the latter case you'd better use a captcha or something so the
bot doesn't automatically unblock itself).
-- 
Dave Pooser, ACSA
Manager of Information Services
Alford Media http://www.alfordmedia.com