Customer-facing ACLs

• Previous message (by thread): Customer-facing ACLs
• Next message (by thread): Customer-facing ACLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave Pooser wrote:

> Half the Mac users? You think? I know a dozen or so sysadmins who use Macs,

[raises hand...]

> and about a hundred users who wouldn't know SSH from PCP; I think that's
> probably a slightly skewed sample considering I'm a Mac geek who hangs
> around with Mac geeks, and I'd guess the consumer users are a larger
> percentage of the real-life population. 

I was quite surprised to see the large number of Mac laptops at NANOG 
42.  I didn't do a formal count but it seemed like about 1/4 to 1/3 of 
the laptops in use were Macs.

> I'd expect the number of folks who
> want SSH unblocked to be under 1% of a consumer broadband network, and
> probably closer to 0.1% or so. And again, it ought to be trivial to let your
> users unblock the system, either via phone call or via self-service Web page
> (though in the latter case you'd better use a captcha or something so the
> bot doesn't automatically unblock itself).

I'm against the slippery slope of blocking ports by default, with the 
possible exception of SMTP if the provider offers a well-publicized 
local SMTP server.

Servers that must leave ssh open to the Internet can and should consider 
using some form of time-out script like this one: 
http://www.pettingers.org/code/SSHBlack.html

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

• Previous message (by thread): Customer-facing ACLs
• Next message (by thread): Customer-facing ACLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]