Nick Daly <nick.m.d...@gmail.com> writes: > I'd like to throw one more alternative into the mix: > > On Wed, Mar 19, 2014 at 1:38 AM, Petter Reinholdtsen <p...@hungry.com> wrote: >> - iptables / ufw rules >> - libpam-shield - locks out remote attackers trying password guessing >> - libpam-abl - blocks hosts which are attempting a brute force attack >> - fail2ban - ban hosts that cause multiple authentication errors >> - (*) denyhosts - Utility to help sys admins thwart SSH crackers > > - Figure out how to make key authentication easy for end user's > devices and disable password authentication on boxen altogether.
Quite, although boostrapping may be an issue then. Another thing that might help, but is also perhaps too complicated for normal people, would be port-knocking, so that we're not even listening to ssh until activated by nudging the right port(s). Likewise, listening on something other than port 22 would help but may be too complicated for normal users, and both are really just security through obscurity. This discussion also prompted me to wonder if it would be good to run a tarpit on a spare IP address and/or on unused ports, as well as (if possible) tarpitting connections that try logging in as root with a password, say. The package xtables-addons-dkms apparently includes the tarpit module (I'd not realise it was packaged until I looked just now). Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://ftp.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
pgp7H9d5xME8v.pgp
Description: PGP signature
_______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss