Ah yes, I always wanted to look into this for a Raspberry Pi I have somewhere else behind double NAT (carrier grade NAT). Thanks!
So you should always be up, right? Or is this robust enough to reconnect within reasonable time of is down for a while?
Again, there is no shortage of disk space and it gets rotated.
-- Truth welcomes investigation because truth knows investigation will lead to converts. It is deception that uses all the other techniques.
Den 2020-10-28 kl. 09:28, skrev A. Dumas:
That is why he wrote he uses autossh
It reestablished the tunnel if needed
So use another port that isn't blocked.
If you're really concerned about security then you don't allow *any* connections to the outside world. If you do allow connections then ssh is likely the least of your worries! :-)
-- Chris Green
If you use autossh it will cope with a 'not always there' myhost. However in my case I have an intermediate 'ssh bridge' system which is a virtual host on a commercial hosting provide so it is always there.
The 'ssh bridge' is to protect my home system from incessant ssh attacks, my home system's firewall allows connections only from two or three IPs, one of which is the ssh bridge.
-- Chris Green
Indeed damage cause by outbound ssh will be because of deliberate action by a member of staff, in which case all bets are off anyway
Outbound connections to Web pages are more likely to be the cause of accidental damage (virus & malware etc.) unfortunately blocking them does tend to make having any form of internet connection mostly unusable
blocking all outbound traffic usualy just causes headaches when someone needs to legitimately use a new service that had not been foreseen.
In my experience IT teams are notoriously obstructive to making changes & slow to deliver when their hand is forced.
-- /* * At first I thought these guys were on crack, but then I discovered the * LART. */ - comment from include/linux/mtd/cfi_endian.h
Failtoban effectively shuts the port, which, if the hacker is monitoring what is happening lets him know that he cannot make any further attempts which will stop him bothering your system & move on. This should reduce the amount of waisted traffic your network has to deal with.
it also reduces the time available for the hacker to identify any ssh exploits that may have been discovered
Security in depth.
-- Be sociable. Speak to the person next to you in the unemployment line tomorrow.
There is a difference between
I figured autossh was at least good for 3, but I wasn't sure about 2 (probably) or 1 (maybe).
Typically when this is done all ports are blocked, then some things are allowed through via proxies (including https with a MITM proxy) that allow enforcement of policies and monitoring of traffic.
That's not too dissimilar to removing the power and embedding in concrete. Stick the work "unrestricted" between allow and connections and I'd agree.
-- Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun The computer obeys and wins. | licences available see You lose and Bill collects. | http://www.sohara.org/
As I said, in ten years up, no breakins. I dont fix nonexistent problems
-- ?The urge to save humanity is almost always only a false face for the urge to rule it.? ? H. L. Mencken
Am 27.10.20 um 16:40 schrieb Martin Gregorie:
Because it is not available. ipv4 over ipv6.
Jan
I guess you'll have to provide a little more detail on the network setup. Is it 4over6 tunneling you mean perhaps? At a guess that would look like any ipv4 connection with no unique public IP address that someone could connect to? But what about the ipv6 side then, shouldn't that be easy to connect to or is it blocked somehow as well?
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.