In response to Christopher Hilton <[EMAIL PROTECTED]>: > Erik Osterholm wrote: > > On Sun, Apr 15, 2007 at 08:02:55PM -0400, Bill Moran wrote: > >> There was some discussion on this list not too long ago, and someone > >> asked if I was willing to make my pf config and the associated scripts > >> I wrote for it public. I would have posted on the original thread, > >> but I can't find it now. > >> > >> Here is the information: > >> http://www.potentialtech.com/cms/node/16 > >> > > First: I'm not sure if the group got to it and I'm posting to a very > stale thread here but I've found that the best way to defeat these > password scanning ssh bots is to disallow passwords allowing > public/private key authentication in their stead. Unfortunately this > isn't always possible. Bill's method is a very close second.
I'm a big fan of PKI, but PKI suffers from one major problem, and it's the same flaw that physical keys suffer from: you have to have the key with you. With a password, I'm always guaranteed to have access. Just give me any computer that has an SSH client available. With PKI, I'm hosed if I don't have a copy of my private key on a jump drive or something. I'm always torn because of this. I really like the added security of PKI, but history has taught me that I'll need access at a critical time when I _don't_ have a key with me. As a result, I've decided to use password auth on this particular server. > Second: I love the simplicity of the stateless firewall rules in Bill's > pf.conf. I may have to look at implementing that here. I'm not 100% sure, but I believe the disadvantage of the stateless approach is that pf can't do packet normalization without state. Thus a scrub statement will have no effect on stateless traffic. Again, in my case I have enough faith in FreeBSD's TCP stack that I've deemed this an acceptable risk. If you're using pf to protect a bunch of Windows servers, you may want to reconsider stateless rules. -- Bill Moran http://www.potentialtech.com _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"