In message <[EMAIL PROTECTED]>, Stuart Henderson writes: > On 2006/11/23 17:07, Igor Sobrado wrote: > ... > > to set up a firewall with an ever-growing list of hostile machines. > ... > > I think you misunderstand me. I mean to restrict direct SSH access > to only those networks which need access, not to block attackers when > you see them. Authorized users would either connect from an approved > IP address, or by using authpf. (for this, I'm assuming use of a > separate firewall to protect a number of other machines, not 'self- > protecting').
You are right, I misunderstand you. We have a similar setup at the machines at FCSI, in Illinois. It is very secure, but somewhat restrictive. I certainly prefer opening the ssh service to the world on a bastion host. If that machine is attacked, only other servers in the DMZ are at risk... well, the second firewall can be attacked too. > There aren't a lot of cases where you need to leave SSH access > open to the world. You are right, carefully choosing the address ranges that will be allowed there is not a need to leave ssh open to the world. Even if remote root access is disabled (it is usually disabled on my computers) there is a risk of a user john having a password john... I like your proposal a lot but, honestly, I am surprised by the elegant method proposed by Steve. With only a few opportunities to guess the right password it seems that a brute force attack is not possible at all (except with a highly distributed brute force attack, of course, but it is out of the abilities of the standard intruders.) I will consider both your proposal and Steve's one. Thanks a lot for this excellent advice! Igor.
