On Sun, 14 Jan 2007 15:39:30 +0100 Erik Norgaard <[EMAIL PROTECTED]> wrote:
> - enforce key authentication From memory, you still get the 'user unknown' messages if you have only key auth. > - restrict access to certain users or groups of users I would say, idem here. > - deny direct access as root this is obvious...and a default in BSD (i dont think it's a default in some (most?) linux distros though) > - enforce strong passwords, if you can't enforce key authentication > - limit the ip address space that is allowed to connect, to the space > where you or your users are likely to be > - limit the number of simultaneous unauthenticated connections I would add to limit the number of passwords retries - so if they want to hammer you, at least they'll have to try a new connection. Of course, this leaves you open to a DOS ... but , well, i guess you are still open to that the second you're on the net :) Moving the default tcp port to other than the default WILL disminish the attempts - it will NOT PROVIDE YOU WITH EXTRA SECURITY AT ALL , so you still should configure key auth + limit users + deny root, etc. _________________________ {Beto|Norberto|Numard} Meijome "Everything should be made as simple as possible, but not simpler." Albert Einstein I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"