nanog mailing list archives

Re: Customer-facing ACLs

From: Justin Shore <justin () justinshore com>
Date: Sat, 08 Mar 2008 12:17:38 -0600


Mark Foster wrote:

Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much ofa concern? I can only assume it's to stop clients exploited boxen beingused to anonymise further telnet/ssh attempts - but have to admit thisdiscussion is the first i've heard of it being done 'en masse'.

I don't think there's much to be gained from blocking ingress 22 fromcustomers. I don't see any SSH scans originating from my customers(though there is always the potential). I wouldn't have any issues withblocking outbound telnet though but I can't really justify it eithersince I don't see a real big problem with that kind of trafficoriginating on my network either.

Now inbound SSH and Telnet (destined for my customers) should be blockedIMHO. Doing a little prodding around our netspace I've found most SSHinstalls to be of a known vulnerable version or at least an old versionyet to have any vulnerabilities found in. Nothing positive could comefrom letting them get compromised. We would of course offer a way forusers to get around the block. Our current approach is to have themsign up for a static IP (another $5/month). The fee keeps everyone fromautomatically signing up for is as "free stuff" but still gives thelegit users an inexpensive way to get what they need.

It'd frustrate me if I jacked into a friends Internet in order to dosome legitimate SSH based server administration, I imagine...

Agreed but remember that people like you, I and the rest of the readersof NANOG are a teeny tiny minority on the Internet. I could pick acouple thousand of my users at random and not find one that knows whatSSH is.

Is this not 'reaching' or is there a genuine benefit in blocking theseports as well?

I don't think there's much to be gained from blocking telnet & SSH fromthe customers to the Internet. Blocking SMTP in the same direction iscritical IMHO. Blocking the same 3 ports back to the customer makessense to me though. I think there is a real and tangible benefit to theexercise.


Justin

Current thread:

Re: NANOG laptops (was Re: Customer-facing ACLs), (continued)
- - - Re: NANOG laptops (was Re: Customer-facing ACLs) Paul Vixie (Mar 09)
    - Re: NANOG laptops (was Re: Customer-facing ACLs) Randy Bush (Mar 09)
    - Re: NANOG laptops (was Re: Customer-facing ACLs) Bill Woodcock (Mar 09)
    - Re: NANOG laptops (was Re: Customer-facing ACLs) Al Iverson (Mar 09)
    - Re: NANOG laptops (was Re: Customer-facing ACLs) Marshall Eubanks (Mar 09)
    - Re: NANOG laptops (was Re: Customer-facing ACLs) William Allen Simpson (Mar 09)
    - Re: NANOG laptops (was Re: Customer-facing ACLs) Mark Prior (Mar 10)
    - Re: NANOG laptops (was Re: Customer-facing ACLs) Bill Woodcock (Mar 09)
    - Re: Customer-facing ACLs Justin Shore (Mar 09)
    - Re: Customer-facing ACLs Adrian Chadd (Mar 08)
    - Re: Customer-facing ACLs Justin Shore (Mar 08)
    - Re: Customer-facing ACLs Chris Marlatt (Mar 10)
    - Re: Customer-facing ACLs Adrian Chadd (Mar 10)
    - Re: Customer-facing ACLs Justin Shore (Mar 10)
  - Re: Customer-facing ACLs Sean Donelan (Mar 10)
  - Re: Customer-facing ACLs Andy Davidson (Mar 18)
    - Re: Customer-facing ACLs Marshall Eubanks (Mar 18)
    - Re: Customer-facing ACLs Jon Lewis (Mar 18)
    - Re: Customer-facing ACLs Adrian Chadd (Mar 18)
- RE: Customer-facing ACLs Scott Weeks (Mar 07)
  - Re: Customer-facing ACLs Justin Shore (Mar 07)

(Thread continues...)