On Mon, Jan 16, 2012 at 08:23:33AM +0700, Pandu Poluan wrote > That depends on who are authorized to access the boxen via SSH. In my case, > only the IT Division is authorized to access them via SSH, so the "real > sysadmin" in me (g) decides it is much easier to shift the port rather than > implementing esoteric hardening stuffs ;-) > > Plus, I get the benefit of ridiculing any IT guy/gal who managed to get > him-/herself locked out (thanks to the auto-blacklist) B-)
The opposite of auto-blacklisting is port-knocking. Think of it as auto-unblacklisting, where the world is blacklisted by default. See... http://www.hostsvault.com/blog/howto-protect-services-like-ssh-against-brute-force-using-only-iptables-port-knocking/ The idea is that your external service is blocked to everybody by default. When an external IP address "knocks" in sequence on the right 3 ports (specified in iptables), it is then allowed a few seconds to establish a connection (ssh/ftp/whatever). -- Walter Dnes <waltd...@waltdnes.org>
