Quote:
..Would if help security to ssh into this box using fxp1 instead of fxp0
i.e. physically seperating WAN internet and ssh traffic...
|
You don't want to have two NICs on the same subnet. From a network design perspective, that's not recommended.
If your SSH use is conducted using
best practices, there would be no security implication to having its traffic use the same network segment, or having your SSH service accessible from the Internet. Mine are.
Best practices are key. The default sshd_config has two options which are present for ease of remote installation and initial configuration of the OS, but are
not commonly considered best practice:
- PermitRootLogin yes
- PasswordAuthentication yes
The general recommendation is to set both of these to "no". This prevents access using passwords as an authentication method entirely, and prevents authentication attacks on the superuser account.
Personally, I like two authentication methods: 1) public key authentication with a passphrase, which provides two-factor authentication, and 2) S/Key one-time-pads when I'm using workstations I don't control. There are other methods available as well.
Using PF, you could restrict SSH access to the server so that access is only permitted by addresses on your LAN, but that would not prevent an attack vector coming from your LAN -- which is always possible, if a platform on your LAN were compromised.
Quote:
|
What would be the diff in doing that with using an alias on fxp0 ?????
|
Network architecture is a separate subject. In general, you don't want to have a device with two NICs on the same subnet. Aliases work, that doesn't.
