On Friday 10 July 2009, Rob Kampen wrote:
Coert Waagmeester wrote:
...
it only allows one NEW connection to ssh per minute.
That is also a good protection right?
...
Not really protection - rather a deterrent - it just makes it slower for the script kiddies that try brute force attacks
Basically it's not so much about protection in the end as it is about keeping your secure-log readable. Or maybe also a sense of being secure...
It's always good to limit your exposure but you really have to weigh cost against the win. Two examples:
Limit from which hosts you can login to a server: Configuration cost: trivial setup (one iptables line) Additional cost: between no impact and some impact depending on your habits Positive effect: 99.9+% of all scans and login attempts are now gone Verdict: Clear win as long as the set of servers are easily identifiable
Elaborate knocking/blocking setup: Configuration cost: significant (include keeping it up-to-date) Additional cost: setup of clients for knocking, use of -p XXX for new port Positive effect: "standard scans" will probably miss but not air tight Verdict: Harder to judge, I think it's often not worth it
Other things worth looking into are, for example, access.conf (pam_access.so) and ensuring that non-trivial passwords are used.
my €0.02, Peter