I think if you use double authentication (both keys and a password) and put your SSH server on a different port then you are doing the best you can. You hope to prevent a 0-day but you cannot fully protect yourself... James On Fri, Jul 10, 2009 at 7:06 PM, Rob Townley <rob.townley at gmail.com> wrote: > On Fri, Jul 10, 2009 at 9:33 AM, Peter Kjellstrom<cap at nsc.liu.se> wrote: > > On Friday 10 July 2009, Rob Kampen wrote: > >> Coert Waagmeester wrote: > > ... > >> > it only allows one NEW connection to ssh per minute. > >> > > >> > That is also a good protection right? > > ... > >> Not really protection - rather a deterrent - it just makes it slower for > >> the script kiddies that try brute force attacks > > > > Basically it's not so much about protection in the end as it is about > keeping > > your secure-log readable. Or maybe also a sense of being secure... > > > > It's always good to limit your exposure but you really have to weigh cost > > against the win. Two examples: > > > > Limit from which hosts you can login to a server: > > Configuration cost: trivial setup (one iptables line) > > Additional cost: between no impact and some impact depending on your > habits > > Positive effect: 99.9+% of all scans and login attempts are now gone > > Verdict: Clear win as long as the set of servers are easily identifiable > > > > Elaborate knocking/blocking setup: > > Configuration cost: significant (include keeping it up-to-date) > > Additional cost: setup of clients for knocking, use of -p XXX for new > port > > Positive effect: "standard scans" will probably miss but not air tight > > Verdict: Harder to judge, I think it's often not worth it > > > > Other things worth looking into are, for example, access.conf > (pam_access.so) > > and ensuring that non-trivial passwords are used. > > > > my €0.02, > > Peter > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > > > Virtual Networks are such as tinc-vpn.org or hamachi create an > encrypted network only accessible to members of the virtual network. > So if your server's virtual nic has an address of 5.4.3.2, then the > only other host that may see your server would be your laptop with > address 5.4.3.3. No other internet hosts would even see 5.4.3.2... > It is like IPSec, but much easier. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- http://www.goldwatches.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090712/a0878286/attachment-0004.html>