SSH hank attempts bad?
gthornock at yahoo.com
Wed Apr 12 12:57:17 MDT 2006
--- Chris Carey <chris.carey at gmail.com> wrote:
> I agree wholeheartedly. What I meant is that its futile to
> block individual IPs. For every one you block, two more will
> appear. For an Internet connected device, one should put a
> policy for security in place that covers all IPs.
Blocking individual IPs really amounts to enumerating badness
, which admittedly isn't a very effective security policy
(albeit it *has* significantly reduced the problem, at least on
my server). The problem is, unless you know that you'll only
be connecting from a very few places, all known in advance, the
alternative (enumerating goodness) is a hard problem.
I like the automatic blocking idea behind DenyHosts, particularly
given its sync functionality and its automatic cleanup of old
blocks. I wish it were trivial to set it up to update my pf
rules instead of just hosts.deny for ssh. I also like the
rate-limiting idea that someone mentioned. I'm going to have to
find out how to do that in pf...
All of that, however, is still only part of a solution. It's
still important to use enumerated goodness in another context
by allowing connections only from specified users, and it's
still important to disable root access and disable password
PGP Key ID: 071B173D
Fingerprint: ED30 B048 6833 56B4 28C0 CE52 F12B 884A 071B 173D
More information about the PLUG