I think if you use double authentication (both keys and a password) and put your SSH server on a different port then you are doing the best you can. You hope to prevent a 0-day but you cannot fully protect yourself...
James
On Fri, Jul 10, 2009 at 7:06 PM, Rob Townley rob.townley@gmail.com wrote:
On Fri, Jul 10, 2009 at 9:33 AM, Peter Kjellstromcap@nsc.liu.se wrote:
On Friday 10 July 2009, Rob Kampen wrote:
Coert Waagmeester wrote:
...
it only allows one NEW connection to ssh per minute.
That is also a good protection right?
...
Not really protection - rather a deterrent - it just makes it slower for the script kiddies that try brute force attacks
Basically it's not so much about protection in the end as it is about
keeping
your secure-log readable. Or maybe also a sense of being secure...
It's always good to limit your exposure but you really have to weigh cost against the win. Two examples:
Limit from which hosts you can login to a server: Configuration cost: trivial setup (one iptables line) Additional cost: between no impact and some impact depending on your
habits
Positive effect: 99.9+% of all scans and login attempts are now gone Verdict: Clear win as long as the set of servers are easily identifiable
Elaborate knocking/blocking setup: Configuration cost: significant (include keeping it up-to-date) Additional cost: setup of clients for knocking, use of -p XXX for new
port
Positive effect: "standard scans" will probably miss but not air tight Verdict: Harder to judge, I think it's often not worth it
Other things worth looking into are, for example, access.conf
(pam_access.so)
and ensuring that non-trivial passwords are used.
my €0.02, Peter
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Virtual Networks are such as tinc-vpn.org or hamachi create an encrypted network only accessible to members of the virtual network. So if your server's virtual nic has an address of 5.4.3.2, then the only other host that may see your server would be your laptop with address 5.4.3.3. No other internet hosts would even see 5.4.3.2... It is like IPSec, but much easier. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos