> or if you can't do that, use something like denyhosts to tcpwrap them > out of existence after X number of failures. i rolled this out after > i got tired of playing whack-a-mole and to my delight discovered that > no scanner in the past 8 months (since i rolled it out) continues to > scan more than a handful of times after the connection is refused.
I just have a problem with reactive defense mechanisms. There needs to be some real security benefit or no other way to accomplish the same thing before I deploy something that actively tries to thwart attacks. I'm not a fan of IPS or even IDS, in case you hadn't guessed. Reactive defense adds software to your system. All software has bugs. Some percentage of software bugs have a negative security impact. How can you weigh the negative security impact of your reactive defense system against the gains it provides? How do you weigh this against the extra effort it requires to maintain? > i cannot implement the host keys solution since some inflexible 3rd > party systems sftp into our servers for automated file dropoff/pickup, > and i didn't want to get into the business of teaching ie mac > dreamweaver human users how to set up keys either. Another option is to use PAM/libcrack to ensure users select secure passwords. Or, simply white list the IP ranges your sftp users are likely coming in from and block the rest. Or require that they come in over a VPN first. OpenVPN provides a great pre-auth handshake option over UDP that obliterates any password guessing and DoS attacks on it's port and you can't even tell it's listening there. Does dreamweaver support WebDAV over SSL? Maybe managing client certificates in a browser would be easier for them than trying to do it with sftp. There's probably other solutions, depending on your environment. cheers, tim _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
