Morgan Storey <[email protected]> writes:
> I am a big fan of the denyhosts package, it can warn you via email or sms
> gateway and lock IP's out on x number of failed attempts.
I am not sure I care that much about knowing every time a robot gets
banned. ;) Anyway, I found the distributed nature of denyhosts a much more
valuable service: it allows you to detect, in conjunction with others, hostile
machines *before* they have a chance to abuse your systems.
> There is also port knocking that I have found useful for remote support, but
> it is too difficult for end users I think.
It probably is, and given that there is *zero* security difference[1] between
any of the current "port knocking" and using some other solution that uses
user authentication to open the firewall for other remote access.
So, using something more user-friendly is probably a better strategy if you do
want to open SSH inbound only if someone authenticates somewhere else first.
Regards,
Daniel
Footnotes:
[1] ...or a security difference in favour of the non-"port knocking"
solutions, since they have better tested, audited and validated code, or
the scope to do more in terms of security.
--
✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
Looking for work? Love Perl? In Melbourne, Australia? We are hiring.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
