On Fri, January 13, 2006 12:35 pm, Andrew Errington wrote: > On Fri, 13 Jan 2006 12:15, you wrote:
>> However, I wouldn't implement any IP address barring strategy, as it >> makes you look like you've got something to hide, which will make them >> try harder. There's even a case for having a dmz running on port 22, and >> let them play, find there's nothing of use, and give up. > > Hmm. Nice idea, but once they get into the DMZ they are on your network > and could get to other machines inside your network. (If not, why not?) The DMZ runs at a security level higher than the outside world, and lower than your internal (theoretically secure) internal network. The idea is that you have a sacrificial machine in a vacuum, listening on port 22, and redirect traffic off your real ssh port to another server on the internal network. -- Work like you don't need the money, Love like your heart has never been broken and Dance like no one can see you.
