Yitzchak Gale wrote, at 11/22/2007 07:42 AM: > Unfortunately, on today's Internet any server with > the standard SSH port open gets continuously > hammered by hundreds of botnet zombies that > try to find username/password combinations by > brute force. Disabling password authentication > does not help - the zombies still hammer you. > So you just can't use the standard port anymore.
How does this not apply to WebDAV, as well? When your server is hammered by botnets trying to brute force your WebDAV repository, will you move it to another port? Brute force attacks are directed against any service that uses password authentication, not just SSH. Disabling password authentication certainly does help protect the resource, but so does enforcing reasonable login/password best practices to avoid the low hanging fruit these bots seek. Using iptables on Linux, it's trivial to block common brute force attacks against SSH using the recent module: iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT This stops brute force attacks in their tracks, and prevents the attempts from filling up the logs. Beyond that, I don't allow root logins, and make good use of AllowUsers, AllowGroups and other configuration parameters to harden SSH. > Finally - although SSH is still widely used and > widely supported, it is officially viewed as > deprecated by the IETF. ? > Like other VCSs, > we should start migrating towards WebDAV > over an encrypted channel. I understand why you'd want support built directly into a client, but why can't you mount a WebDAV directory and use it with Darcs? Why should applications include extra code (with potential bugs and security risks) to deal with a service that can be provided by the OS? If SSH, WebDAV, and other protocol support is lacking on Windows, it's hardly fair to blame Darcs. _______________________________________________ darcs-users mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-users
