--- Chris Carey <[EMAIL PROTECTED]> wrote: > I agree wholeheartedly. What I meant is that its futile to > block individual IPs. For every one you block, two more will > appear. For an Internet connected device, one should put a > policy for security in place that covers all IPs.
Blocking individual IPs really amounts to enumerating badness [1], which admittedly isn't a very effective security policy (albeit it *has* significantly reduced the problem, at least on my server). The problem is, unless you know that you'll only be connecting from a very few places, all known in advance, the alternative (enumerating goodness) is a hard problem. I like the automatic blocking idea behind DenyHosts, particularly given its sync functionality and its automatic cleanup of old blocks. I wish it were trivial to set it up to update my pf rules instead of just hosts.deny for ssh. I also like the rate-limiting idea that someone mentioned. I'm going to have to find out how to do that in pf... All of that, however, is still only part of a solution. It's still important to use enumerated goodness in another context by allowing connections only from specified users, and it's still important to disable root access and disable password authentication. [1] http://www.ranum.com/security/computer_security/editorials/dumb/ PGP Key ID: 071B173D Fingerprint: ED30 B048 6833 56B4 28C0 CE52 F12B 884A 071B 173D /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
