On Wed, May 6, 2009 at 15:22, Tim <[email protected]> wrote:
> Of course this kind of blacklisting is just playing whack-a-mole and > may be ill-advised. If you're worried about password brute force > attacks, then require users to use public keys in your sshd_config > and be done with it. or if you can't do that, use something like denyhosts to tcpwrap them out of existence after X number of failures. i rolled this out after i got tired of playing whack-a-mole and to my delight discovered that no scanner in the past 8 months (since i rolled it out) continues to scan more than a handful of times after the connection is refused. i cannot implement the host keys solution since some inflexible 3rd party systems sftp into our servers for automated file dropoff/pickup, and i didn't want to get into the business of teaching ie mac dreamweaver human users how to set up keys either. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
