On Sun, 14 Jan 2007 15:39:30 +0100
Erik Norgaard <[EMAIL PROTECTED]> wrote:
> - enforce key authentication
From memory, you still get the 'user unknown' messages if you have only key
auth.
> - restrict access to certain users or groups of users
I would say, idem here.
> - deny direct access as root
this is obvious...and a default in BSD (i dont think it's a default in some
(most?) linux distros though)
> - enforce strong passwords, if you can't enforce key authentication
> - limit the ip address space that is allowed to connect, to the space
> where you or your users are likely to be
> - limit the number of simultaneous unauthenticated connections
I would add to limit the number of passwords retries - so if they want to
hammer you, at least they'll have to try a new connection. Of course, this
leaves you open to a DOS ... but , well, i guess you are still open to that the
second you're on the net :)
Moving the default tcp port to other than the default WILL disminish the
attempts - it will NOT PROVIDE YOU WITH EXTRA SECURITY AT ALL , so you still
should configure key auth + limit users + deny root, etc.
_________________________
{Beto|Norberto|Numard} Meijome
"Everything should be made as simple as possible, but not simpler."
Albert Einstein
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
