On Tue, Jul 22, 2008, D Steward wrote:
On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote:
When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-)
Yup. Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter various subnets to stay safe. :(
If you do not allow password authentication and use good pass phrases on your identity, the only thing really gained by restricting on IP ranges is restricting the number of reject messages in your log files. The fail2ban program does a nice job of limiting the number of rejection messages in the logs.
Another possibility is to set up OpenVPN on your system, which authenticates on ssl certificates and works nicely even from dynamic IPs behind NAT. Then you can ssh into the private LAN behind your firewall via OpenVPN.
Bill