DragonFly users List (threaded) for 2010-03
Re: Security process
Jan Lentfer wrote:
> For such things I use denyhosts which works great for blocking script
> kiddies' ssh attacks. It only works with software using tcpwrappers though.
Solutions that blocks IP addresses automatically can be
susceptible to DoS attacks. You have to be very careful
when you do that.
I think a better solution is to move sshd to a non-standard
port and disable password authentication.
Of course, changing the sshd port is not a security measure
by itself ("security by obscurity" doesn't count), but it
keeps all those script kiddies from filling my log files so
/var/log/security is more readable, and it keeps sshd(8)
from forking every few seconds. Those bastards are already
consuming too many resources of mine by sending a SYN packet
through my uplink. I'm definitely not willing to give them
any more resources than absolutely necessary. ;-)
(BTW, thanks to ~/.ssh/config I don't even have to remember
the new port number.)
The important thing is to disable password authentication.
Once you've done that, you can sit back and relax while
looking at all those pointless attempts to crack your pass-
words. They won't succeed because there are no passwords.
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd