On Tue, July 22, 2008 11:57, MHR wrote: > On Tue, Jul 22, 2008 at 8:16 AM, David Dyer-Bennet <dd-b at dd-b.net> wrote: >> >> The next step up from that is some form of "port knocking" scheme -- >> where >> the outsider must first attempt to connect to some particular *other* >> port >> to trigger ssh to be ready to listen on the (non-standard) SSH port. >> >> On the other hand, why are people so worried about SSH scans? I'm >> worried >> about who actually gets in, not who connects to the port. Strong >> password >> quality enforcement, or maybe requiring public-key authentication, seem >> like a more useful response. (I'm seeing a lot of failed ssh connects >> myself right now. Another system here has been blocking every /24 we >> get >> a failed connect from, with the result that they had to add a special >> rule >> to let my home systems log in! This could easily result in my being >> unable to get in from arbitrary locations in the field in an emergency, >> which seems not good.) > > You have, perhaps, heard of denial-of-service attacks? Yes, but if there are *any* ports exposed, seems like those are equally possible. For that matter, if my ports were all closed, they could still be sending enough packets up my link that I was DOSed pretty much into oblivion. -- David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info