On 6 Mar 2002, Eric Brandwine wrote:
"rp" == Rob Pickering <rob@pickering.org> writes: rp> Why would you want to expose a management protocol like ssh to the rp> Internet?
You wouldn't. Neither would I. I'll go poke fun at Chris.
I can think of a few reasons, it's no more/less secure than sendmail/postfix/bind/snmpdx/...... its just another thing to monitor and upgrade when there are problems. In most people's example networks they PROBABLY run all their 'services' on virtual interfaces anyway so ssh doesn't have to listen on the same ip as bind so perhaps it's a non-issue.
rp> OK so leaving ssh open is convenient, but if we are talking best rp> practice surely having your remote management protocols running on a rp> separate network, or at the very least filtering on a host basis so rp> that it's only listening to connects from your NOC has to be the way rp> to do this.
Absolutely. It bothers me that as an ISP, we kinda have to run mail and dns servers. If there were two protocols I'd choose NOT to expose to the public network, they'd be it. I'd much rather expose ssh than bind or sendmail.
We can be an ISP or we can not be an ISP, its a business decision... the 'be an ISP' seems to make money while the 'I got big vats of fiber in the ground wanna use it for telephones?' seems to NOT make money.