2009/10/3 Jukka Ruohonen <[email protected]> > On Fri, Oct 02, 2009 at 05:17:59PM -0400, Greg Larkin wrote: > > You could set up DenyHosts and contribute to the pool of IPs that are > > attempting SSH logins on the Net: > > http://denyhosts.sourceforge.net/faq.html#4_0 > > While I am well aware that a lot of people use DenyHosts or some equivalent > tool, I've always been somewhat skeptical about these tools. Few issues: > > 1. Firewalls should generally be as static as is possible. There is a > reason > why high securelevel prevents modifications to firewalls. > > 2. Generally you do not want some parser to modify your firewall rules. > Parsing log entries created by remote unauthenticated users as root is > never a good idea. > > 3. Doing (2) increases the attack surface. > > 4. There have been well-documented cases where (3) has opened opportunities > for both remote and local DoS. > > Two cents, as they say, > > Jukka. > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "[email protected]" >
simplest this to do is disable password auth, and use key based. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[email protected]"
