North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Justin Shore
  • Date: Sat Mar 08 13:30:53 2008

Mark Foster wrote:

Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a concern? I can only assume it's to stop clients exploited boxen being used to anonymise further telnet/ssh attempts - but have to admit this discussion is the first i've heard of it being done 'en masse'.

I don't think there's much to be gained from blocking ingress 22 from customers. I don't see any SSH scans originating from my customers (though there is always the potential). I wouldn't have any issues with blocking outbound telnet though but I can't really justify it either since I don't see a real big problem with that kind of traffic originating on my network either.

Now inbound SSH and Telnet (destined for my customers) should be blocked IMHO. Doing a little prodding around our netspace I've found most SSH installs to be of a known vulnerable version or at least an old version yet to have any vulnerabilities found in. Nothing positive could come from letting them get compromised. We would of course offer a way for users to get around the block. Our current approach is to have them sign up for a static IP (another $5/month). The fee keeps everyone from automatically signing up for is as "free stuff" but still gives the legit users an inexpensive way to get what they need.

It'd frustrate me if I jacked into a friends Internet in order to do some legitimate SSH based server administration, I imagine...

Agreed but remember that people like you, I and the rest of the readers of NANOG are a teeny tiny minority on the Internet. I could pick a couple thousand of my users at random and not find one that knows what SSH is.

Is this not 'reaching' or is there a genuine benefit in blocking these ports as well?

I don't think there's much to be gained from blocking telnet & SSH from the customers to the Internet. Blocking SMTP in the same direction is critical IMHO. Blocking the same 3 ports back to the customer makes sense to me though. I think there is a real and tangible benefit to the exercise.