Tobias Ulmer wrote:
This topic comes up in regular intervals of 6 month on every *nix mailinglist i'm on.
It's stupid (sorry, but it is):
Gained "security" = 0% Leave it just as it is. You don't have anything to fear anything if you use decent passwords. Otherwise don't offer a ssh service!
I keep the following setup in my pf.conf for bandwidth/cpu, not security, reasons:
--------- [...] table <ssh-white> persist { 127.0.0.1, ... } [...] # Hosts in whitelist are always allowed to connect unlimited # Non-whitelisted Linux hosts are blocked # Allow other ssh connections with limited connection rate pass in quick on $ext_if proto tcp from <ssh-white> to ($ext_if:0) \ port ssh keep state label "ssh-white" block in quick on $ext_if proto tcp from any os Linux to ($ext_if:0) \ port ssh label "ssh-linux" pass in quick on $ext_if proto tcp from any to ($ext_if) \ port ssh flags S/SA keep state (max-src-conn-rate 1/30) \ label "ssh-other" [...] --------- /Alexander