If you're really concerned about security then you don't allow *any* connections to the outside world. If you do allow connections then ssh is likely the least of your worries! :-)
If you use autossh it will cope with a 'not always there' myhost. However in my case I have an intermediate 'ssh bridge' system which is a virtual host on a commercial hosting provide so it is always there.
The 'ssh bridge' is to protect my home system from incessant ssh attacks, my home system's firewall allows connections only from two or three IPs, one of which is the ssh bridge.
Indeed damage cause by outbound ssh will be because of deliberate action by a member of staff, in which case all bets are off anyway
Outbound connections to Web pages are more likely to be the cause of accidental damage (virus & malware etc.) unfortunately blocking them does tend to make having any form of internet connection mostly unusable
blocking all outbound traffic usualy just causes headaches when someone needs to legitimately use a new service that had not been foreseen.
In my experience IT teams are notoriously obstructive to making changes & slow to deliver when their hand is forced.
--
/*
* At first I thought these guys were on crack, but then I discovered the
* LART.
*/
- comment from include/linux/mtd/cfi_endian.h
Failtoban effectively shuts the port, which, if the hacker is monitoring what is happening lets him know that he cannot make any further attempts which will stop him bothering your system & move on. This should reduce the amount of waisted traffic your network has to deal with.
it also reduces the time available for the hacker to identify any ssh exploits that may have been discovered
Security in depth.
--
Be sociable. Speak to the person next to you in the unemployment line
tomorrow.
Typically when this is done all ports are blocked, then some things are allowed through via proxies (including https with a MITM proxy) that allow enforcement of policies and monitoring of traffic.
That's not too dissimilar to removing the power and embedding in concrete. Stick the work "unrestricted" between allow and connections and I'd agree.
--
Steve O'Hara-Smith | Directable Mirror Arrays
C:\>WIN | A better way to focus the sun
The computer obeys and wins. | licences available see
You lose and Bill collects. | http://www.sohara.org/
I guess you'll have to provide a little more detail on the network setup. Is it 4over6 tunneling you mean perhaps? At a guess that would look like any ipv4 connection with no unique public IP address that someone could connect to? But what about the ipv6 side then, shouldn't that be easy to connect to or is it blocked somehow as well?
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.