On Mar 28, 2008, at 9:12 PM, Dave Smith wrote:
In the past, I have used /etc/hosts.[deny|allow] to secure my SSH
server by restricting access to a limited number of IP addresses.
This has worked very well for me over the past 3 or 4 years, but now
I need to allow access to a non-enumerable set of client IP
addresses, so I am considering alternate methods. The first method
on my list is to require key-based authentication (no passwords).
Secondly, I'm thinking about using an alternate port (ie, 2222
instead of 22) simply to ward off automated botnet logins.
Does anyone see a problem with this? Any other ideas?
Is it non-enumerable because it is too large, or because you can't
know all of them ahead of time?
If it is the second, I would suggest what is used on some of the
servers I help admin. We use a dynamic whitelist of IP's that you can
add your IP to by visiting an SSL webpage and doing a basic auth over
SSL. If successful, that then adds your IP to the whitelist for
accessing SSH and other non-public services.
Hope that helps.
Grant
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
