On Fri, Jul 10, 2009 at 9:33 AM, Peter Kjellstrom<
cap@nsc.liu.se> wrote:
> On Friday 10 July 2009, Rob Kampen wrote:
>> Coert Waagmeester wrote:
> ...
>> > it only allows one NEW connection to ssh per minute.
>> >
>> > That is also a good protection right?
> ...
>> Not really protection - rather a deterrent - it just makes it slower for
>> the script kiddies that try brute force attacks
>
> Basically it's not so much about protection in the end as it is about keeping
> your secure-log readable. Or maybe also a sense of being secure...
>
> It's always good to limit your exposure but you really have to weigh cost
> against the win. Two examples:
>
> Limit from which hosts you can login to a server:
> Configuration cost: trivial setup (one iptables line)
> Additional cost: between no impact and some impact depending on your habits
> Positive effect: 99.9+% of all scans and login attempts are now gone
> Verdict: Clear win as long as the set of servers are easily identifiable
>
> Elaborate knocking/blocking setup:
> Configuration cost: significant (include keeping it up-to-date)
> Additional cost: setup of clients for knocking, use of -p XXX for new port
> Positive effect: "standard scans" will probably miss but not air tight
> Verdict: Harder to judge, I think it's often not worth it
>
> Other things worth looking into are, for example, access.conf (pam_access.so)
> and ensuring that non-trivial passwords are used.
>
> my €0.02,
> Peter
>