In message <[EMAIL PROTECTED]>, Stuart Henderson writes: > On 2006/11/23 15:14, Igor Sobrado wrote: > > 2. There are a lot of brute force attacks from countries like > > Korea these days. These attacks will be less effective if > > the intruders get access to an unprivileged account (even if > > it is in the wheel group). > > On a typical system, these are better blocked at the firewall. > If you need offsite SSH access from unknown IP addresses, you can > use authpf to open the ports instead, which gives you a single > point of control.
Indeed, it is possible blocking these services at the firewall but it is not a clean answer to the problem. I certainly would prefer changing the behaviour of sshd on a fresh installed system to set up a firewall with an ever-growing list of hostile machines. On the other hand I see that, once the brute force attack ends (usually in some hours) that machine will not contact again (these brute force attacks are probably a part of a more general scanning tool). These machines have dynamic addresses and there is a small chance to block addresses that can be used by authorized users in the future too. > > Some of these tools try passwords that I would not call "low- > > quality ones". > > "PasswordAuthentication no" is quite effective against this. Indeed, using certificates is an excellent choice too. I suppose that OpenBSD currently supports using certificates stored in removable media. A bit hard to configure, but highly secure. Indeed. Cheers, Igor.
