Lisa Kachold wrote:
He's going to be stuck between usability and security with a two tierd approach?  Plus we have not even started to dissect the web SSL/Apache exploits (which is another HUGE subject)!
Very true, but I'd almost rather have a second layer of auth than to allow an entire class B to connect.

I am waiting for end to end Cell BlackBerry Encryption (outside of Enterprise Servers) and VPN applications for phones!
My co-worker has an Apple IPhone and they have a Cisco VPN client for it which seems to work nicely. I assumed they had something similar for the BlackBerry.
His solution is going to be either their Unlimited Data Pack upgrade [$49.99] with a static IP, or deploy "calculated risk" in leaving open SSH to the WHOLE SWIP assigned ARIN AT&T block on his server to access port 22 via the phone.
Agreed. The risky part can be made less risky by using your previous suggestions of running on non-standard port, using one of the various anti-brute-force packages, and putting some human eyeballs on the logfiles now and then.

Server settings per security recommendations: (/etc/ssh/sshd_config):

1) Use Protocol 2
2) Disallow root access [Fools Rush in!]
3) Setup Keys
4) Really complex password [8 characters or greater]
5) Password Aging (bi-monthly)
6) Wrap SSH with SSHIT or SSHUTOUT [http://anp.ath.cx/sshit/]
7) Deploy the two line IPTABLES SSH overflow protection AND control SSH port source and destination if possible (full SWIP'd IP Class A for AT&T) [http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/]
8) Run tripwire and rootkit comparison tools from /etc/cron.monthly.
Ah there we go. I should have read further before I made the comment above :-)
Of course, he could run SSH on another port JUST for his phone [while doing all of the above] (depending on which application he is using on the phone) - some don't allow unique ports other than 22 (and he would have to use SSHUTOUT [since it's one of the few that allow unqiue custom ports]).
I knew someone once who had a crazy setup where ssh was only unblocked during certain times of the day, and running on a different port each time, that he had some mental algorithm to keep track of. So to try and hack his ssh you would have to find the right port at the right time, and the window was only open for a variable X minutes, haha.  Not very useful (what if you need to fix a problem NOW) but was kind of neat just by how overly-complicated it was. He also did odd things like modify his tcpip stack so that nmap fingerprinting would report his machine was an SGI IRIX box, so hackers tried all the wrong exploits, haha.