In message <[EMAIL PROTECTED]>, Steve Williams writes: > > I block brute force attacks using PF. They get a small set of attempts > before they are blocked. Very trivial. > > pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \ > keep state (max-src-conn-rate 5/40, overload <scanners>) > block in log on $ext_if proto tcp from <scanners> to $ext_if port ssh
Trivial, perhaps... but an excellent example of how using tables to manage possible intrussion attempts. A very good one! > Voilla, I still have root access, with a hard to guess password, and > people trying to brute force me are blocked. Of course, there could be > a "distributed" brute force attack... but how paranoid do you want to get?? A distributed brute force attack against your set up is, at best, very challenging. This attack would be possible only if you are the target of a highly talented security expert. No one is so paranoid to believe that a distributed attack able to pass your protection will happen, though. > I also rely on having the abiltiy to install/upgrade remotly and ssh > into the system post install. With root access blocked off, well...kind > of hard! I believe I missed the point here. On an upgrade user accounts should not be lost. A fresh install usually requires a console (e.g., a port server connected to the first serial port on the computer) and a special firmware on the device (something like the ComBIOS on the soekris communication computers, or the extended BIOS on the Dell PowerEdges or Siemens Nixdorf PCD-5T computers). In this case, root access from the console should not be a problem at all. I am curious... how can OpenBSD be remotely installed on a computer without a setup like that one? How can the installer be run remotely without a device that the operating system calls "console"? I usually copy the installation sets of OpenBSD to a bootable CF on my soekris before making a fresh install (I usually avoid upgrades). Even in this case, I need something to use as a console (e.g., a serial cable that connects the soekris computer to a serial port on a machine that can be accessed by ssh). Just curious! Igor.