On Friday 10 July 2009, Rob Kampen wrote: > Coert Waagmeester wrote: ... > > it only allows one NEW connection to ssh per minute. > > > > That is also a good protection right? ... > Not really protection - rather a deterrent - it just makes it slower for > the script kiddies that try brute force attacks Basically it's not so much about protection in the end as it is about keeping your secure-log readable. Or maybe also a sense of being secure... It's always good to limit your exposure but you really have to weigh cost against the win. Two examples: Limit from which hosts you can login to a server: Configuration cost: trivial setup (one iptables line) Additional cost: between no impact and some impact depending on your habits Positive effect: 99.9+% of all scans and login attempts are now gone Verdict: Clear win as long as the set of servers are easily identifiable Elaborate knocking/blocking setup: Configuration cost: significant (include keeping it up-to-date) Additional cost: setup of clients for knocking, use of -p XXX for new port Positive effect: "standard scans" will probably miss but not air tight Verdict: Harder to judge, I think it's often not worth it Other things worth looking into are, for example, access.conf (pam_access.so) and ensuring that non-trivial passwords are used. my €0.02, Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20090710/d363c490/attachment-0005.sig>